Junos®OS 11.4 Release Notes
Release 11.4R18 December 2011Revision 5
These release notes accompany Release 11.4R1 of the Junos OS. They describe device
documentation and known problems with the software. Junos OS runs on all Juniper
Networks M Series, MX Series, and T Series routing platforms, SRX Series Services
Gateways, J Series Services Routers, and the EX Series Ethernet Switches.
For the latest, most complete information about outstanding and resolved issues with
the JunosOSsoftware, see the JuniperNetworksonlinesoftwaredefect searchapplication
at http://www.juniper.net/prsearch.
You can also find these release notes on the Juniper Networks Junos OS Documentation
Web page, which is located at https://www.juniper.net/techpubs/software/junos/.
Contents Junos OS Release Notes for EX Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
New Features in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . . . . 7
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Access Control and Port Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Layer 2 and Layer 3 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Fibre Channel over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Limitations in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . . . . . 11
Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Management and RMON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Multicast Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for EX Series Switches . . . . . . . 15
Ethernet Switching and Spanning Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
J-Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Software Upgrade and Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Virtual Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Resolved Issues in Junos OS Release 11.4 for EX Series Switches . . . . . . . . . . 19
Issues Resolved in Release 11.4R1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Changes to and Errata in Documentation for Junos OS Release 11.4 for EX
Series Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Changes to the Junos OS for EX Series Switches Documentation . . . . . 29
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forEXSeries
Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Upgrade and Downgrade Support Policy for Junos OS Releases . . . . . . 29
Upgrading from Junos OS Release 10.4R3 or Later . . . . . . . . . . . . . . . . . 30
Upgrading from Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . . . . . 31
Downgrading to Junos OS Release 10.4R2 or Earlier . . . . . . . . . . . . . . . . 45
Downgrading to an Earlier Junos OS Release . . . . . . . . . . . . . . . . . . . . . . 46
Upgrading EX Series Switches Using NSSU . . . . . . . . . . . . . . . . . . . . . . . 46
Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D
Universal Edge Routers, and T Series Core Routers . . . . . . . . . . . . . . . . . . . . 49
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series
Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Class of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Interfaces and Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Junos OS XML API and Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Layer 2 Ethernet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
MPLS Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Subscriber Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
User Interface and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,
MX Series, and T Series Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Errata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Changes to the Junos OS Documentation Set . . . . . . . . . . . . . . . . . . . . 125
Copyright © 2011, Juniper Networks, Inc.2
Junos OS 11.4 Release Notes
Junos OS Release Notes for Branch SRX Series Services Gateways and J Series
Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
New Features in Junos OS Release 11.4 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 127
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Hardware Features—SRX210 Services Gateways . . . . . . . . . . . . . . . . . . 136
Changes in Default Behavior andSyntax in JunosOSRelease 11.4 for Branch
SRX Series Services Gateways and J Series Services Routers . . . . . . . . 137
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 138
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Virtual Private Networks (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 139
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
AX411 Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Command-Line Interface (CLI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
DOCSIS Mini-PIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . . 141
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks
Security Devices that Support Group VPN . . . . . . . . . . . . . . . . . . . . 143
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . . 147
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 147
IPv6 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Power over Ethernet (PoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . 153
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Unified Threat Management (UTM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Virtual Private Networks (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
UnsupportedCLI for BranchSRXSeriesServicesGateways and JSeries
Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Accounting-Options Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
AX411 Access Point Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chassis Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Class-of-Service Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Ethernet-Switching Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Firewall Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Interfaces CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
3Copyright © 2011, Juniper Networks, Inc.
Aggregated Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
ATM Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Ethernet Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
GRE Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
IP Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
LSQ Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
PT Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
T1 Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
VLAN Interface CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Protocols Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Routing Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Services Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
SNMP Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
System Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Outstanding Issues in JunosOSRelease 11.4 for Branch SRXSeries Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 162
Aplication Layer Gateway(ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 163
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Layer 2 Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services
Gateways and J Series Services Routers . . . . . . . . . . . . . . . . . . . . . . . . . 167
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 170
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Errata and Changes in Documentation for Junos OS Release 11.4 for Branch
SRX Series Services Gateways and J Series Services Routers . . . . . . . . 172
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 172
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 174
Copyright © 2011, Juniper Networks, Inc.4
Junos OS 11.4 Release Notes
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch
SRX Series Services Gateways and J Series Services Routers . . . . . . . . 176
Upgrade and Downgrade Scripts for Address Book Configuration . . . . . 177
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . . 179
Hardware Requirements for Junos OS Release 11.4 for SRX Series
Services Gateways and J Series Services Routers . . . . . . . . . . . . . . 179
Junos OS Release Notes for High-End SRX Series Services Gateways . . . . . . . . 182
New Features in Junos OS Release 11.4 for High-End SRX Series Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Software Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for
High-End SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . 195
AppSecure Application Package Upgrade Changes . . . . . . . . . . . . . . . . 196
General Packet Radio Service (GPRS) . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 196
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServices
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
AppSecure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Dynamic Host Configuration Protocol (DHCP) . . . . . . . . . . . . . . . . . . . 200
Dynamic VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Internet Key Exchange Version 2 (IKEv2) . . . . . . . . . . . . . . . . . . . . . . . . 202
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . 203
Internet Protocol Security (IPsec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
IPv6 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . . . 211
Unsupported CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Virtual Private Networks (VPNs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServices
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Aplication Layer Gateway(ALG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 215
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
5Copyright © 2011, Juniper Networks, Inc.
Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Upgrade and Downgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services
Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Application Layer Gateways (ALGs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Flow and Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Installation and Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Intrusion Detection and Prevention (IDP) . . . . . . . . . . . . . . . . . . . . . . . . 219
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Interfaces and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Network Address Translation (NAT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
SNMP MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
ErrataandChanges inDocumentation for JunosOSRelease 11.4 forHigh-End
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Errata for the Junos OS Software Documentation . . . . . . . . . . . . . . . . . 220
Errata for the Junos OS Hardware Documentation . . . . . . . . . . . . . . . . . 221
UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forHigh-End
SRX Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Upgrade and Downgrade Scripts for Address Book Configuration . . . . 223
Upgrade Policy for Junos OS Extended End-Of-Life Releases . . . . . . . 226
Hardware Requirements for Junos OS Release 11.4 for High-End SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Copyright © 2011, Juniper Networks, Inc.6
Junos OS 11.4 Release Notes
Junos OS Release Notes for EX Series Switches
• New Features in Junos OS Release 11.4 for EX Series Switches on page 7
• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX Series
Switches on page 10
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series
Switches on page 29
New Features in Junos OS Release 11.4 for EX Series Switches
This section describes new features in Release 11.4 of the Junos operating system (Junos
OS) for EX Series switches.
Not all EX Series software features are supported on all EX Series switches in the current
release. For a list of all EX Series software features and their platform support, see EX
Series Switch Software Features Overview .
New features are described on the following pages:
• Hardware on page 7
• Access Control and Port Security on page 8
• Ethernet Switching and Spanning Trees on page 8
• Infrastructure on page 8
• Layer 2 and Layer 3 Protocols on page 9
• Management and RMON on page 9
Hardware
• Support for enhanced feature licenses onEX3300 switches—EX3300 switches nowsupport enhanced feature licenses (EFLs). [SeeUnderstanding Software Licenses for EX
Series Switches.]
• EX4500 Virtual Chassis andmixed EX4200 and EX4500 Virtual Chassisenhancements—An EX4500 Virtual Chassis or a mixed EX4200 and EX4500 VirtualChassis can now include up to ten EX4500member switches. An EX4200 switch and
an EX4500 switch can now be configured in themaster and backup roles in the same
mixedEX4200andEX4500VirtualChassis.TheseVirtualChassisnowsupportnonstop
bridging (NSB) and Link Aggregation Control Protocol (LACP). [See EX3300, EX4200,
and EX4500 Virtual Chassis, Understanding Nonstop Bridging on EX Series Switches, and
Understanding Aggregated Ethernet Interfaces and LACP.]
• New line card support for EX8200Virtual Chassis—The following line cards can nowbe used in EX8200 switches that are members of an EX8200 Virtual Chassis:
7Copyright © 2011, Juniper Networks, Inc.
Junos OS Release Notes for EX Series Switches
• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)
• EX8200-2XS-40T (40-port RJ-45 with 4-port SFP and 2-port SFP+ line card)
• EX8200-48PL (48-port PoE+ 20-Gbps line card)
• EX8200-48TL (48-port RJ-45 20-Gbps line card)
• EX8200-2XS-40P (40-port PoE+ with 4-port SFP and 2-port SFP+ line card)
[See Line Card Model and Version Compatibility in an EX8200 Switch.]
• New extra-scale EX8200 line card—A new extra-scale line card provides larger route
table sizes than its associated non-extra-scale model to store more IPv4 and IPv6
unicast routes. This extra-scale model is supported on standalone EX8200 switches
and on EX8200 Virtual Chassis.
• 40-port SFP+ line card (EX8200-40XS-ES)
[See Line Card Model and Version Compatibility in an EX8200 Switch.]
Access Control and Port Security
• PersistentMAC learning—PersistentMAC learning, also knownas stickyMAC, is a portsecurity feature that allows retention of dynamically learned MAC addresses on an
interface across restarts of the switch and interface-down events. Persistent MAC
address learning is disabled by default. By enabling persistentMAC learning alongwith
MAC limiting, you can allow interfaces to learnMAC addresses of trustedworkstations
and servers during the period fromwhen you connect the interface to your network
until the limit for MAC addresses is reached, and ensure that after this initial period
with the limit reached, new devices will not be allowed even if the switch restarts. The
alternatives tousingpersistentMAC learningwithMAC limitingare tostatically configure
each MAC address on each port or to allow the port to continuously learn newMAC
addresses after restarts or interface-down events. [See Understanding Persistent MAC
Learning (Sticky MAC).]
Ethernet Switching and Spanning Trees
• Distributed periodic packetmanagement (PPM) virtual routing and forwarding(VRF)support—VRF traffic is nowprocessedonEXSeries switches throughdistributedperiodic packet management (PPM). Distributed PPM processing is transparent to
users, and it allows the switches to better manage VRF traffic. [See Understanding
Distributed Periodic Packet Management on EX Series Switches.]
Infrastructure
• Nonstop active routing for Protocol Independent Multicast (PIM) on EX8200switches and EX8200 Virtual Chassis---Nonstop routing (NSR) for PIM is now
supportedonEX8200switchesandonEX8200VirtualChassis. Youcannowconfigure
NSR to enable the transparent switchover between themaster and backup Routing
Engines without having to restart PIM. [See Understanding Nonstop Active Routing on
EX Series Switches.]
Copyright © 2011, Juniper Networks, Inc.8
Junos OS 11.4 Release Notes
• Enhancement for upgrades of loader software on EX8200 switches fromRelease10.3R2orearlier—Loader softwarecannowbeupgradedon thebackupRoutingEngine,thus reducing the downtime for the switch when upgrading software from Release
10.3R2 or earlier. For releases 10.4R3 or later, the loader software does not need to be
upgraded.
Layer 2 and Layer 3 Protocols
• OSPFv2 on EX3300 switches—EX3300 switches now support OSPFv2. [See Layer 3
Protocols Supported on EX Series Switches.]
• Routedmulticast traffic on virtual routing and forwarding (VRF) instances—Routedmulticast traffic is now supported on all VRF instances, not just the default instance.
[See Understanding Virtual Routing Instances on EX Series Switches].
Management and RMON
• Erasure of all user-created files on the switch—A newmedia option is now available
for the request system zeroize command. The request system zeroizemedia command
completely erasesall user-created files fromtheswitch, includingplain-textpasswords,
secrets, andprivate keys forSSH, local encryption, local authentication, IPsec, RADIUS,
TACACS+, and Simple Network Management Protocol (SNMP), replacing all
user-created data with zeros, and then reboots the switch, returning it to the factory
default configuration. (Without themediaoption, the requestsystemzeroize command
simply removes configuration and log files and resets key values, then reboots the
switch, returning it to the factory default configuration.)
CAUTION: Before running the request system zeroize or request system
zeroizemedia command, use the request system snapshot command to
back up the files currently used to run the switch to a secondary device.
[See request system zeroize.]
• Ethernet frame delaymeasurement—You can obtain Ethernet frame delaymeasurements (ETH-DM) on an EX Series switch. You can configure Operation,
Administration,andMaintenance(OAM)statements forconnectivity faultmanagement
(CFM) (IEEE802.1ag) to provideon-demandmeasurementsof framedelayand frame
delay variation (jitter). You can configure the frame delay measurements in either a
one-waymode or a two-way (round-trip) mode to gather frame delay statistics,
including simultaneous statistics frommultiple sessions. [See Understanding Ethernet
Frame Delay Measurements on Switches.]
• Support for IEEE 802.1ag Ethernet OAM on EX8200 switches—Support for the IEEE802.1ag standard for Operation, Administration, and Management (OAM) is now
available on EX8200 switches. The IEEE 802.1ag specification provides for Ethernet
connectivity fault management (CFM), which monitors Ethernet networks that might
comprise oneormore service instances for network-compromising connectivity faults.
[See Understanding Ethernet OAM Link Fault Management for an EX Series Switch.]
9Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for EX Series Switches
RelatedDocumentation
Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
•
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for EX Series Switches
This section lists the changes in default behavior and syntax in Junos OS Release 11.4 for
EX Series switches.
Ethernet Switching and Spanning Trees
• The ingress-counting configuration statement in the [edit vlans] hierarchy has been
renamed l3-interfaces-ingress-counting. Youuse thisconfigurationstatement toactivate
a routed VLAN interface (RVI) input counter on a named VLAN on an EX8200 switch.
Fibre Channel over Ethernet
• On the EX4500 switch, App-FCoE and ETS values appear in output for the show dcbx
neighbors terse command but are not applicable to the switch; ignore these values.
Hardware
• If you configure an SFP uplink module to operate in 1-gigabit mode by including the
sfpplus statement at the [edit chassis fpc slotpic pic-number] hierarchy of the
configuration, the configuration has no effect and no warning or error message is
displayed. The sfpplus statement configures the operating mode for SFP+ uplink
modules only, in Junos OS Releases 10.4R2 and later.
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Copyright © 2011, Juniper Networks, Inc.10
Junos OS 11.4 Release Notes
Limitations in Junos OS Release 11.4 for EX Series Switches
This section lists the limitations in Junos OS Release 11.4 for EX Series switches. If the
limitation is associated with an item in our bug database, the description is followed by
the bug tracking number.
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application at
http://www.juniper.net/prsearch.
Firewall Filters
• On EX3200 and EX4200 switches, when a very large number of firewall filters are
included in theconfiguration, itmight takea long time, possibly as longasa fewminutes,
for the egress filter rules to be installed. [PR/468806: This is a known software
limitation.]
• On EX3300 switches, if you add and delete filters with a large number of terms (on
theorder of 1000ormore) in the samecommitoperation, not all the filters are installed.
As a workaround, add filters in one commit operation, and delete filters in a separate
commit operation. [PR/581982: This is a known software limitation.]
• On EX8200 switches, if you configure an implicit or explicit discard action as the last
term in an IPv6 firewall filter on a loopback (lo0) interface, all the control traffic from
the loopback interface is dropped. Toprevent this, youmust configureanexplicitaccept
action. [This is a known software limitation.]
Hardware
• On 40-port SFP+ line cards for EX8200 switches, the LEDs on the left of the network
portsdonotblink to indicate that there is linkactivity if youset thespeedof thenetwork
ports to 10/100/1000Mbps. However, if you set the speed to 10 Gbps, the LEDs blink.
[PR/502178: This is a known limitation.]
• The Uplink Modules in EX3200 Switches topic notes the following behavior for the SFP
uplink module, which provides four ports for 1-gigabit small form-factor pluggable
(SFP) transceivers: “On an EX3200 switch, if you install a transceiver in an SFP uplink
module, a corresponding network port from the last four built-in ports is disabled. For
example, if you install an SFP transceiver in port 2 on the uplinkmodule (ge-0/1/2) on
24-portmodels, thenge-0/0/22 is disabled.Thedisabledport is not listed in theoutput
of show interface commands.”
Another note on the same page describes similar behavior of the SFP+ uplinkmodule:
“On an EX3200 switch, if you install a transceiver in an SFP+ uplink module when the
uplink module is operating in the 1-gigabit mode, a corresponding network port from
the last four built-in ports is disabled. For example, if you install an SFP transceiver in
port 2 on the uplink module (ge-0/1/2), then ge-0/0/22 is disabled. The disabled port
is not listed in the output of show interfaces commands.”
However, in both cases what actually occurs is that when you install the SFP uplink
moduleorexplicitly configure themodeonanSFP+uplinkmodule to 1-gigabit operating
mode and do not reboot the switch, the last four built-in ports on the switch are
11Copyright © 2011, Juniper Networks, Inc.
Limitations in Junos OS Release 11.4 for EX Series Switches
disabled. If transceivers are installed in the uplink module, the corresponding built-in
network ports are not displayed in the output of show interfaces commands. The
workaround is to move all four links to the uplink module, or to reboot the switch for
correct initialization of the ports. [PR/686467: This is a known limitation.]
Infrastructure
• Do not use nonstop software upgrade (NSSU) to upgrade the software on an EX8200
switch from Junos OS Release 10.4 to Release 11.1 or later if you have configured the
PIM, IGMP, or MLD protocols on the switch. If you attempt to use NSSU, your switch
might be left in a nonfunctional state fromwhich it is difficult to recover. If you have
these multicast protocols configured, use the request system software add command
to upgrade the software on an EX8200 switch from Release 10.4 to Release 11.1 or
later. [This is a known software limitation.]
• On EX Series switches, the show snmpmibwalk etherMIB command does not display
any output, even though the etherMIB is supported. This occurs because the values
are not populated at the module level—they are populated at the table level only. You
can issue show snmpmibwalk dot3StatsTable, show snmpmibwalk dot3PauseTable,
and show snmpmibwalk dot3ControlTable commands to display the output at the
table level. [PR/442373: This is a known software limitation.]
• Momentary loss of an inter-Routing Engine IPCmessagemight trigger the alarm that
displays the message “Loss of communication with Backup RE”. However, no
functionality is affected. [PR/477943: This is a known software limitation.]
• On EX4500 switches, the maintenancemenu is not disabled even if you include the
lcdmaintenance-menu disable statement in the configuration. [PR/551546: This is a
known software limitation.]
• When you enable the filter-id attribute on the RADIUS server for a particular client,
none of the required 802.1X authentication rules are installed in the IPv6 database.
Therefore, IPv6 traffic on the authenticated interface is not filtered; only IPv4 traffic is
filtered on that interface. [PR/560381: This is a known software limitation.]
• OnEX8200switches, ifOAM link-faultmanagement (LFM) is configuredonamember
ofaVLANonwhichQ-in-Q tunneling is alsoenabled,OAMPDUscannotbe transmitted
to the Routing Engine. [PR/583053: This is a known software limitation.]
• If you have configured sFlow technology on an EX8200 switch that you are upgrading
from Junos OS Release 10.4 or Release 11.1 using nonstop software upgrade (NSSU),
disable sFlowtechnologybefore youperformtheupgrade. If youhaveconfiguredsFlow
technology on an EX8200 switch that you are upgrading from Junos OS Release 11.1
to Release 11.2 or later using nonstop software upgrade (NSSU), disable sFlow
technology before you perform the upgrade. Once the upgrade is complete, you can
reenable sFlow technology. If you do not disable sFlow technology before you perform
the upgrade with NSSU, sFlow technology will not work properly after the upgrade.
Using NSSU to upgrade from Release 11.2 or later to a later release has no impact on
sFlow technology functionality. [PR/587138: This is a known software limitation.]
• Whenyou reconfigure themaximumtransmissionunit (MTU)valueof anext hopmore
than eight times without restarting the switch, the interface uses the maximum value
Copyright © 2011, Juniper Networks, Inc.12
Junos OS 11.4 Release Notes
of the eight previously configured values as the next MTU value. [PR/590106: This is
a known software limitation.]
• On EX8208 and EX8216 switches that have two Routing Engines, one Routing Engine
cannot be running JunosOSRelease 10.4 or laterwhile the other one is runningRelease
10.3 or earlier. Ensure that both Routing Engines in a single switch run either Release
10.4or later orRelease 10.3or earlier. [PR/604378:This is a knownsoftware limitation.]
Interfaces
• EX Series switches do not support IPv6 interface statistics. Therefore, all values in the
output of the show snmpmibwalk ipv6IfStatsTable command always display a count
of 0. [PR/480651: This is a known software limitation.]
• On EX8216 switches, a linkmight go downmomentarily when an interface is added to
a LAG. [PR/510176: This is a known software limitation.]
• On EX Series switches, if you clear LAG interface statistics while the LAG is down, then
bring up the LAG and pass traffic without checking for statistics, and finally bring the
LAG interface down and check interface statistics again, the statistics might be
inaccurate. As a workaround, use the show interfaces interface-name command to
check LAG interface statistics before bringing down the interface. [PR/542018: This is
a known software limitation.]
• Youmust connect directly to the master Switch Fabric and Routing Engine (SRE)
module or Routing Engine (RE) module of the EX8200member switch to configure
Power over Ethernet (PoE) or Power over Ethernet Plus (PoE+) on an EX8200 Virtual
Chassis. You cannot configure PoE or PoE+ through the XRE200 External Routing
Engine.
To configure PoE or PoE+ on an EX8200member switch in an operational EX8200
Virtual Chassis:
1. Connect directly to the member switch that contains the ports on which you will
configure PoE or PoE+ using one of the following methods:
• Log in to the Virtual Chassis, then enter the request sessionmembermember-id
command to redirect the session to the member switch.
• Cable a terminal device to the console port (labeled CON) on themaster SRE or
REmodule. See Connecting an EX Series Switch to a Management Console.
2. Configure PoE or PoE+. See Configuring PoE (CLI Procedure).
J-Web Interface
• EX2200-C, EX3300, and EX6210 switches do not support switch connection and
configuration through the J-Web interface. [This is a known software limitation.]
• If four or more EX8200-40XS line cards are inserted in an EX8208 or EX8216 switch,
theSupport Informationpage(Maintain>CustomerSupport>Support Information)in the J-Web interfacemight fail to loadbecause the configurationmight be larger than
themaximum size of 5 MB. The error message "Configuration too large to handle" is
displayed. [PR/552549: This is a known software limitation.]
13Copyright © 2011, Juniper Networks, Inc.
Limitations in Junos OS Release 11.4 for EX Series Switches
• The J-Web interfacedoesnot support role-basedaccesscontrol–it supportsonlyusers
in the super-user authorization class. So a userwho is not in the super-user class, such
asauserwith view-onlypermission, is able to launch the J-Web interfaceand is allowed
toconfigureeverything, but theconfiguration fails on the switch, and theswitchdisplays
access permission errors. [PR/604595: This is a known software limitation.]
Management and RMON
• On EX Series switches, an SNMP query fails when the SNMP index size of a table is
greater than 128bytes, because theNetSNMP tool does not support SNMP index sizes
greater than 128 bytes. [PR/441789: This is a known software limitation.]
• WhenMVRP is configured on a trunk interface, you cannot configure connectivity fault
management (CFM)onthat interface. [PR/540218:This isaknownsoftware limitation.]
• The connectivity-fault management (CFM) process (cfmd)might create a core file.
[PR/597302: This is a known software limitation.]
Multicast Protocols
• MLD snooping of IPv6multicast traffic is not supported. Layer 2 multicast traffic is
always flooded on the VLAN.
Virtual Chassis
• On an EX4500 Virtual Chassis, if you issue the ping command to the IPv6 address of
the virtual management Ethernet (VME) interface, the ping fails. [PR/518314: This is
a known software limitation.]
• The automatic software update feature is not supported on EX4500 switches that
are members of a Virtual Chassis. [PR/541084: This is a known software limitation.]
• When an EX4500 switch becomes amember of a Virtual Chassis, it is assigned a
member ID. If that member ID is a nonzero value, then if that member switch is
downgraded to a software image that does not support Virtual Chassis, you cannot
change themember ID to 0. A standalone EX4500 switch must have amember ID of
0. The workaround is to convert the EX4500 Virtual Chassis member switch to a
standalone EX4500 switch before downgrading the software to an earlier release, as
follows:
1. Disconnect all Virtual Chassis cables from themember to be downgraded.
2. Convert the member switch to a standalone EX4500 switch by issuing the request
virtual-chassis reactivate command.
3. Renumber the member ID of the standalone switch to 0 by issuing the request
virtual-chassis renumber command.
4. Downgrade the software to the earlier release.
[PR/547590: This is a known software limitation.]
• When you add a newmember switch to an existing EX4200 Virtual Chassis, EX4500
Virtual Chassis, or mixed EX4200 and EX4500 Virtual Chassis in a ring topology, a
Copyright © 2011, Juniper Networks, Inc.14
Junos OS 11.4 Release Notes
member switch that was already part of the Virtual Chassis might become
nonoperational for several seconds. Themember switch will return to the operational
statewithnouser intervention.Network traffic to themember switch is droppedduring
the downtime. To avoid this issue, follow this procedure:
1. Cable one dedicated or user-configured Virtual Chassis port (VCP) on the new
member switch to the existing Virtual Chassis.
2. Power on the newmember switch.
3. Wait for the new switch to become operational in the Virtual Chassis. Monitor the
show virtual-chassis command output to confirm the new switch is recognized by
the Virtual Chassis and is in the Prsnt state.
4. Cable the other dedicated or user-configured VCP on the newmember switch to
the Virtual Chassis.
[PR/591404: This is a known software limitation.]
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Outstanding Issues in Junos OS Release 11.4 for EX Series Switches
The following are outstanding issues in Junos OS Release 11.4R1 for EX Series switches.
The identifier following the description is the tracking number in our bug database.
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application at
http://www.juniper.net/prsearch.
Other software issues that are common to both EX Series switches and M, MX, and T
Series routers are listed in Issues in Junos OS Release 11.4 for M Series, MX Series, and T
Series Routers</topic-ref>
Ethernet Switching and Spanning Trees
• If the bridge priority of a VSTP root bridge is changed such that this bridgewill become
a nonroot bridge, the transition might take more than 2minutes, and youmight see a
loop during the transition. [PR/661691]
• On EX Series and QFX Series switches, if you reconfigure a trunk port to access mode
(and if you perform the necessary dependent configurations to delete all but one of
15Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for EX Series Switches
the VLANs), or if you reconfigure an access port to trunk mode, VLAN Spanning Tree
Protocol (VSTP) instances might not converge properly, resulting in the formation of
a loop. As aworkaround, delete the VSTP configuration before reconfiguring the ports.
[PR/668449]
• When the sameMACaddress is learned on twoVLANS, an Ethernet switching process
(eswd) core file might be created. [PR/693942]
Infrastructure
• Thesystem log (syslog) files contain themessage "Juniper syscall not available". These
messages are harmless, and you can ignore them. [PR/519153]
• On EX8208 switches, when a line card that has no interface configurations and is not
connected to any device is taken offline using the request chassis fpc-slot slot-number
offline command, the Bidirectional Forwarding Detection process (bfd) starts and
stops repeatedly. The samebfdprocessbehavior occursona line card that is connected
toaLayer 3domainwhenanother line card that is on the sameswitchand is connected
to a Layer 2 domain is taken offline. [PR/548225]
• On switches on which a large number of VLAN interfaces are configured, when the
backup Routing Engine is rebooting and a large amount of traffic is being sent, OSPF
and IS-IS sessionsmightgodownandcomebackupon routedVLAN interfaces (RVIs).
[PR/603940]
• On switches onwhich a large number of VLAN interfaces are configured, BFD sessions
might go down and come back up on routed VLAN interfaces (RVIs) during a graceful
Routing Engine switchover (GRES) operation. [PR/612642]
• On EX8200 switches, if a graceful Routing Engine switchover occurs and you then
issue the restart routing command, a routing protocol process (rpd) core file might be
created. [PR/660739]
• On EX4500 switches, ICMPv6 packets might transit the Routing Engine even though
IPv6 is not configured. [PR/682953]
• On EX Series switches, when you are configuring DHCP option 82, the
use-interface-description statement, which uses the interface description rather than
the interface name (the default) in the circuit ID or remote ID value in the DHCP option
82 information, does not work. [PR/695712]
• When the switch is performing 802.1X (dot1x) authentication using MAC RADIUS, you
might see the following message in the system log (syslog) file: "kmem type temp
using 57344K, exceeding limit 57344K". [PR/697815]
• When PIM in configured in a routing instance and nonstop active routing (NSR) is
enabled, acore filemightbecreatedafter agracefulRoutingEngineswitchover (GRES)
operation. [PR/702796]
Copyright © 2011, Juniper Networks, Inc.16
Junos OS 11.4 Release Notes
Interfaces
• When you configure themember interfaces of an aggregatedEthernet interface before
you configure the aggregated Ethernet (ae0) device using set commands from theCLI,
the aggregated Ethernet interface does not receive MAC updates. As a workaround,
configure theaggregatedEthernet interface first, thenconfigure themember interfaces.
[PR/680913]
J-Web Interface
• In the J-Web interface, in the Port Security Configuration page (Configure > Security >
Port Security), you are required to configure actionwhen you configureMAC limit even
though configuring an action value is not mandatory in the CLI. [PR/434836]
• In the J-Web interface, in the OSPF Global Settings table in the OSPF Configuration
page, the Global Information table in the BGPConfiguration page, or the Add Interface
window in the LACP Configuration page, if you try to change the position of columns
using the drag-and-dropmethod, only the column header moves to the new position
instead of the entire column. [PR/465030]
• When a large number of static routes is configured and you have navigated to pages
other than page 1 in the Route Information table on the Static Routingmonitoring page
in the J-Web interface (Monitor > Routing > Route Information), changing the RouteTable to query other routes refreshes the page but does not return to page 1. For
example, if you run a query from page 3 and the new query returns very few results,
the Results table continues to display page 3 and shows no results. To view the results,
navigate to page 1 manually. [PR/476338]
• In the J-Web interface, thedashboarddoesnotdisplay theuplinkportsor uplinkmodule
ports unless transceivers are plugged into the ports. [PR/477549]
• In the J-Web interface for EX4500 switches, the Port Configuration page (Configure> Interfaces > Ports), the Port Security Configuration page (Configure > Security >Port Security), and the Filters Configuration page (Configure > Security > Filters)display features that are not supported on EX4500 switches. [PR/525671]
• When you use anHTTPS connection in theMicrosoft Internet Explorer browser to save
a report from the following pages in the J-Web interface, the error message “Internet
Explorer was not able to open the Internet site” is displayed on the pages:
• Files page (Maintain > Files)
• History page (Maintain > Config Management > History)
• Port Troubleshooting page (Troubleshoot > Troubleshoot > Troubleshoot Port)
• Static Routing page (Monitor > Routing > Route Information)
• Support Information page (Maintain > Customer Support > Support Information)
• View Events page (Monitor > Events and Alarms > View Events)
[PR/542887]
17Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for EX Series Switches
• When you open a J-Web session using HTTPS, then enter a username and password
and click on the Login button, the J-Web interface takes 20 seconds longer to launch
and load the Dashboard page than it does if you use HTTP. [PR/549934]
• If you have accessed the J-Web interface using an HTTPS connection through the
Microsoft Internet ExplorerWeb browser, youmight not be able to download and save
reports from some pages on the Monitor, Maintain, and Troubleshoot tabs. Some
affected pages are at these locations:
• Maintain > Files > Log Files > Download
• Maintain > Config Management > History
• Maintain > Customer Support > Support Information > Generate Report
• Troubleshoot > Troubleshoot Port > Generate Report
• Monitor > Events and Alarms > View Events > Generate Report
• Monitor > Routing > Route Information > Generate Report
As a workaround, you can use the Mozilla FirefoxWeb browser to download and save
reports using an HTTPS connection. [PR/566581]
• If you have created dynamic VLANs by enablingMVRP from the CLI, then in the J-Web
interface, the following features do not work with dynamic VLANs and static VLANs:
• On thePort Configuration page (Configure> Interface>Ports)—Port profile (selectthe interface, clickEdit, andselectPortRole)or theVLANoption (select the interface,click Edit, and select VLANOptions).
• VLAN option on the Link Aggregation page (Configure > Interface > LinkAggregation)—Select the aggregated interface, click Edit, and click VLAN.
• Onthe802.1XConfigurationpage(Configure>Security>802.1x)—VLANassignmentin the exclusion list (click Exclusion List and selectVLANAssignment) or themoveto guest VLAN option (select the port, click Edit, select 802.1X Configuration, andclick the Authentication tab).
• Port security configuration (Configure > Security > Port Security).
• On the Port Mirroring Configuration page (Configure > Security > PortMirroring)—Analyzer VLAN or ingress or egress VLAN (click Add or Edit and thenadd or edit the VLAN).
[PR/669188]
• On EX4500 switches, you cannot configure BGP on the BGP Configuration page
(Configure > Routing > BGP). [PR/699308]
• In the J-Web interface, HTTPS access might work with an invalid certificate. As a
workaround, after you change the certificate, issue the restart web-management
command to restart the J-Web interface. [PR/700135]
• On EX4500 Virtual Chassis, if you use the CLI to switch from Virtual Chassis mode to
intraconnectmode, the J-Webdashboardmightnot list all theVirtualChassis hardware
Copyright © 2011, Juniper Networks, Inc.18
Junos OS 11.4 Release Notes
components and the image of the master and backup chassis might not be visible
after an autorefresh occurs. [PR/702924]
• In the J-Web interface, if you disable a port whose link status is down, the J-Web
interface displays the incorrect link status for that interface. [PR/705836]
• In the J-Web interface, HTTPS access might work with an invalid certificate. As a
workaround, after you change the certificate issue the restart web-management
command to restart the J-Web interface. [PR/700135]
• In the J-Web interface on an EX4500 Virtual Chassis, if you configure four or more
Virtual Chassis members on the Support Information page (Maintain > CustomerSupport > Support Information), youmight see the error "Configuration of switch istoo large". [PR/704992]
• In a mixed-mode Virtual Chassis, the J-Web interface does not list the features
supported by the backup line card. Instead, it lists only the features supported by
master. [PR/707671]
Software Upgrade and Installation
• On EX3300 switches, when you load the factory default settings, the last two ports of
the uplink ports are configured as Virtual Chassis ports (VCPs). If you convert these
ports to normal network ports, they might not pass traffic. As a workaround, reboot
the switch after converting the ports. [PR/685300]
Virtual Chassis
• In an EX4200 Virtual Chassis, if a member other than themaster reboots from the
backup partition, the systemalarm "Host #Boot frombackup root" should clearwhen
that member is rebooted from the active partition. However, the master retains the
alarm until it is rebooted or until the mastership switches. [PR/694256]
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
The following are the issues that have been resolved in Junos OS Release 11.4 for EX
Series switches. The identifier following the descriptions is the tracking number in our
bug database.
19Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
For the most complete and latest information about known Junos OS defects, use the
Juniper online Junos Problem Report Search application at
http://www.juniper.net/prsearch.
• Issues Resolved in Release 11.4R1 on page 20
Issues Resolved in Release 11.4R1
The following issueshavebeen resolved in JunosOSRelease 11.4R1. The identifier following
the description is the tracking number in our bug database.
Access Control and Port Security
• If storm control is enabled, the Link Aggregation Control Protocol (LACP)might stop
and then restartwhenLayer 2packetsare sentatahigh rateof speed.Asaworkaround,
disable storm control for all multicast traffic on aggregated Ethernet interfaces by
issuing the command set ethernet-switching-options storm-control interface
interface-name no-multicast. [PR/575560: This issue has been resolved.]
• When the username for 802.1X (dot1x) authentication is longer than 50 characters,
Junos OS truncates the username field. [PR/588063: This issue has been resolved.]
• The show lldp neighbors command displays interface descriptions instead of interface
names. [PR/602442: This issue has been resolved.]
• If you have configured 802.1X (dot1x) on an interface, then removed the 802.1X
configuration, 802.1X filters configured on that interface are not deleted. [PR/662196:
This issue has been resolved.]
• When you reboot or upgrade the software on a switch that has an active client
connected to an 802.1X interface, a VLAN core filemight be created. [PR/686513: This
issue has been resolved.]
Device Security
• If you configure storm control with the action shutdown, after you reboot the switch,
storm control is not enabled on all the ports on which it is configured. [PR/606054:
This issue has been resolved.]
Ethernet Switching and Spanning Trees
• On EX8200 switches, youmight not be able to configure private VLANs across the
switch. [PR/599729: This issue has been resolved.]
• An EX Series switch might take more than 20minutes to learn ARP entries, with the
result that incorrect Layer 2 next hops might be installed on the Packet Forwarding
Engine. This behavior can lead to inconsistent or intermittent communication issues
with devices that are connected to the switch. [PR/612605: This issue has been
resolved.]
• On EX8200 switches, a Q-in-Q service VLANmight not be removed when a packet
enters through a trunk port and exits from an access port. [PR/660247: This issue has
been resolved.]
• When BPDUs are forwarded to the best-effort queue instead of to the control queue,
MSTPmight not converge. [PR/665376: This issue has been resolved.]
Copyright © 2011, Juniper Networks, Inc.20
Junos OS 11.4 Release Notes
• On an EX4200 switch, when you disable a Q-in-Q interface on which you have
configured a large number (more than 500) of VLAN swap rules, control traffic might
be affected for about 10minutes. During this time, the forwarding process (pfem) can
consume up to 98 percent of the CPU. The system resumes its normal state after the
forwarding process completes its processing. [PR/678792: This issue has been
resolved.]
• If you apply a large number of VLAN tags (approximately 1000 tags) and commit the
configuration after applying each individual tag, an mgd core file might be created.
[PR/680841: This issue has been resolved.]
• RSTPmight process BPDUs that do not comply with the IEEE standard, which might
lead to unintended spanning-tree convergence behavior. [PR/683829: This issue has
been resolved.]
• When you enable VLANs and Q-in-Q tunneling on a switch, the switch drops packets
and no MAC address learning occurs. [PR/685481: This issue has been resolved.]
Firewall Filters
• When you configure a firewall filter for the ethernet-switching family, a pfem core file
might be created. [PR/580454:This issue has been resolved.]
• On EX8200 switches, if you configure a discard term on an egress firewall filter, the
filtermightnotblockARPbroadcastpackets. [PR/672621:This issuehasbeen resolved.]
• For two-rate, three-color policers, the egress traffic might not flow at the configured
peak information rate (PIR). [PR/687564: This issue has been resolved.]
• When you configure VLAN ID translation when using Q-in-Q tunneling, if you apply a
tricolor marking (TCM) policer to the Q-in-Q interface, a Packet Forwarding Engine
(pfem) core file might be created. [PR/688438: This issue has been resolved.]
Hardware
• On an EX8200-40XS line card, if you insert an SFP transceiver into a port and then
disable autonegotiation on theport, the link does not comeup. [PR/609413: This issue
has been resolved.]
• When certain SFPs that are not attached to optical cables are inserted into an EX
Series switch, the switch does not generate low-power warnings or alarms. The
transceivers that exhibit this behavior have these vendor (Opnext) part numbers:
TRS2000EN-S201 (10G-SR), TRS2000EN-S211 (10G-SR), and TRS5020EN-S201
(10G-LR). Use the show chassis pic fpc-slot fpc-number pic-slot pic-number command
to display the vendor part numbers of the transceivers in your switch. [PR/613153:This
issue has been resolved.]
• When the switch temperature exceeds its threshold, alarms for EX-PFE2 Packet
Forwarding Enginesmight not be raised. The functionality of the switch is not affected.
[PR/614354:This issue has been resolved.]
21Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
• On EX6210 switches, traffic might not exit from the 10-Gigabit Ethernet interfaces on
the Routing Engines. [PR/669330: This issue has been resolved.]
• On EX4500 switches, the LCD panel might not list the ADM (administrative status) or
DPX (duplex) options in the Idle menu. Also, when you press Enter to cycle through
the status LEDmodes, youmight not be able to cycle through them. [PR/692341: This
issue has been resolved.]
High Availability
• On EX8200 Virtual Chassis, NSSUmight get stuck when you upgrade FPCs one by
one. As a workaround, configure upgrade groups for groups of FPCs, which you can
then upgrade simultaneously, with minimal traffic loss. [PR/669764: This issue has
been resolved.]
• When you perform a nonstop software upgrade (NSSU) operation on an EX8200
Virtual Chassis, if you do not include the reboot option when you request the NSSU to
have the switch perform an automatic reboot, the upgrademight hang indefinitely
after the Junos OS images have been pushed to the master Routing Engine.
[PR/692422: This issue has been resolved.]
Infrastructure
• The number of users reported by the show system users command does not include
Web users. [PR/572822: This issue has been resolved.]
• OnEX8200switches,packetsmightoccasionallybedroppedwithCRC32errors,which
is a result of Packet Forwarding Engine corruption. [PR/576934: This issue has been
resolved.]
• On EX2200 switches, if you configure the dhcp-option82 statement, the switch might
stop operating and a software forwarding process (sfid) core file might be created.
[PR/588990: This issue has been resolved.]
• During a reboot of anEX8200switch, the links on the interfaces of neighboring devices
might go up and down repeatedly even though the interfaces on the EX8200 switch
that connect to those interfaces on neighboring devices have not yet been initialized.
[PR/591800: This issue has been resolved.]
• When you press the tab key during an SFTP session, an sftp core filemight be created.
[PR/593327: This issue has been resolved.]
• On EX8200 switches or on XRE200 External Routing Engines, after routing and traffic
recover from a graceful Routing Engine switchover (GRES) operation, a core file might
be created after the Ethernet switching process (eswd) is restarted or after a line card
is taken offline. [PR/596013: This issue has been resolved.]
• If you move a host to a port associated with a different DHCP pool than the one with
which it was originally associated, the Preboot Execution Environment (PXE) boot
process might fail. [PR/596152: This issue has been resolved.]
• The system log (syslog) file might contain the following message: "/var: filesystem
full". [PR/600145: This issue has been resolved.]
Copyright © 2011, Juniper Networks, Inc.22
Junos OS 11.4 Release Notes
• On EX Series switches, the request system snapshot commandmistakenly includes
the as-primary option. [PR/603204: This issue has been resolved.]
• When you commit an IPv6 configuration, the switch might display the db> prompt.
[PR/606959: This issue has been resolved.]
• On EX4200 switches, if you specify the source-address statement when configuring a
system log file, the switch might not send the correct source IP address to the syslog
server after the switch reboots. [PR/608724: This issue has been resolved.]
• In rare instances, a file system inconsistencymight exist if you shut down an EX Series
switch ungracefully. The result is a system panic, and a vmcore file is created. As a
workaround, use the nand-mediack utility for checking bad blocks in the NAND flash
memory. Review KB20570
(http://kb.juniper.net/InfoCenter/index?page=content&id=KB20570) from the Juniper
Technical AssistanceCenter for instructions about how touse this utility. [PR/609798:
This issue has been resolved.]
• Packet loss of about 2 percent to 5 percent might occur for traffic destined to MAC
addresses starting with 03: or 09:. [PR/658631: This issue has been resolved.]
• When you upgrade Junos OS, traffic might not flow between two directly connected
interfaces. [PR/661131: This issue has been resolved.]
• If you have configured port 1 on theSFPuplinkmodule, the system log filesmight show
an error andmight get full within a fewminutes. [PR/661426: This issue has been
resolved.]
• If you remove or change interfaces soon after completing a nonstop software upgrade
(NSSU) operation, the multicast snooping process (mcsnoopd) might create a core
file. [PR/662065: This issue has been resolved.]
• If you delete a VLAN that has no VLAN ID, firewall filtersmight stop operating properly.
[PR/662651: This issue has been resolved.]
• WhenDHCPunicast packets are processedona server for the first time, theprocessing
timemight slow down, which might prevent the DHCP lease from getting renewed.
[PR/668511:This issue has been resolved.]
• Layer 3 next-hop entries might remain queued in the kernel of the backup Routing
Engine andmight never be installed in the forwarding table. [PR/670799: This issue
has been resolved.]
• Amemory leakmight occur, as evidenced by "jt_nh_multiple_init() returned error code
"(Nomemory:3)!" system log (syslog)messages. This leak disrupts traffic forwarding.
[PR/676826: This issue has been resolved.]
• OnEXSeries switches, issuing the request systemzeroize command reboots the switch
but fails to remove the configuration files in the /config and /var/db/config directories
and other user-created data. [PR/678403: This issue has been resolved.]
• The system log (syslog) files might contain storm-control–relatedmessages even
when storm control is not configured. [PR/679231: This issue has been resolved.]
• Themanagement process (mgd)might create a core file when reading very long lines.
For example, this can happen when the system displays a Junos OS configuration file
23Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
that contains very long lines.Whenmgdcrashes, thecommand that youwereexecuting
does not complete and the following errors appear in themessages file:
%KERN-3-BAD_PAGE_FAULT: pid 57182 (mgd), uid 0: pc 0x8870ab92 got a writefault at 0x8488000, x86 fault flags = 0x6%KERN-6: pid 57182 (mgd), uid 0: exited on signal 11 (core dumped)
[PR/679992: This issue has been resolved.]
• The /var/log/wtmp file might become excessively large, and thus the switchmight run
out of disk spaceon the /varpartition. As aworkaround, use the request systemstorage
cleanup command, or manually delete and re-create the /var/log/wtmp file from the
shell. [PR/681369: This issue has been resolved.]
• When the same firewall filter and Layer 3 classifier is applied to two Layer 3 interfaces,
a Packet Forwarding Engine (pfem) core filemight be created. [PR/683747: This issue
has been resolved.]
• On EX2200 switches, when you have configured a syslog action on theme0 interface,
the switch might crash. [PR/694602: This issue has been resolved.]
• On EX3200 and EX4200 switches, transmit FIFO queue overruns might cause the
switch to stop working. [PR/695071: This issue has been resolved.]
Interfaces
• If you use the restart vrrp command to restart VRRP, a ppmdcore filemight be created.
[PR/602606: This issue has been resolved.]
• On EX4200 switches, when an uplink fails or is deactivated, failure detection is not
propagated to thedownlinkLAG interfaces. [PR/605468:This issuehasbeen resolved.]
• The Ethernet interfaces in a link aggregation group (LAG)might all have the same
current MAC address as the parent aggregated Ethernet (ae-) interface. [PR/681385:
This issue has been resolved.]
• Youmight not be able to commit a configuration on an XRE200 External Routing
Engine, and the switch might display the error "could not save to juniper.save+".
[PR/689764: This issue has been resolved.]
• An EX4200 switch might stop forwarding traffic, and a Packet Forwarding Engine
(pfem) core file might be created. [PR/691504: This issue has been resolved.]
• When 10-Gigabit Ethernet interfaces flap frequently, a routing protocol process (rpd)
core file might be created. [PR/692126: This issue has been resolved.]
• On EX3200, EX4200, EX4500, EX6200, EX8208, and EX8216 switches, the root user
is allowed to telnet into the me0 interface, which does not comply with the default
Junos OS behavior, as documented in Connecting and Configuring an EX Series Switch
(CLI Procedure). [PR/695346: This issue has been resolved.]
Copyright © 2011, Juniper Networks, Inc.24
Junos OS 11.4 Release Notes
IPv6
• On EX Series switches, IPv6 neighbor unreachability detection does not work. As a
workaround, use the clear ipv6 neighbor command to initiate neighbor detection.
[PR/613230: This issue has been resolved.]
J-Web Interface
• In the J-Web interface, the link status might not be displayed correctly on the Port
Configuration page or the LACP (Link Aggregation Control Protocol) Configuration
page if the Commit Options preference is set to "single commit" (the Validate
configuration changes option). [PR/566462: This issue has been resolved.]
• If the password has been removed from the authentication-order statement and the
external authentication server (TACACS+ or RADIUS) is down, youmight not be able
to log in to the J-Web interface. [PR/599613: This issue has been resolved.]
• In the J-Web interface,whenyouopen theStaticRoutingConfigurationpage(Configure> Routing > Static Routing) and click Edit to edit an IPv6 static route, the J-Webinterface displays the page for editing IPv4 addresses. As a workaround, use the CLI
to edit the IPv6 addresses. [PR/660613: This issue has been resolved.]
• In the J-Web interface, the report generated from the Events page (Monitor > Eventsand Alarms > View Events) does not show the description for the first four to five
events. As a workaround, view the description from the Events page or from the Junos
OS CLI. [PR/661752:This issue has been resolved.]
• On EX8200 Virtual Chassis that include an EX8216 switch in which an EX8200-40XS
line card is installed in slot 2, 3, or 4, the J-Web interface does not populate the line
card’s interfaces images in the expanded view of the dashboard. As a workaround,
install the line card in a slot other than one of these three. [PR/662231: This issue has
been resolved.]
• In the J-Web interface, on the Static Routing configuration page (Configure > Routing> Static Route > Add), you can configure only negative values and boundary valuesin the IP octet, but you cannot configure empty values. As a workaround, fill in all the
octets before committing the values. [PR/665435: This issue has been resolved.]
• In the J-Web interface, you cannot associate a filter name that contains spaces to a
VLAN on the VLAN Configuration page (Configure > Switching > VLAN). As aworkaround, go to the Filters Configuration page (Configure >Security > Filters), clickthe filter name to be associated, and then click Edit. In the popup window, use the
Association tab to associate a VLAN to the filter. [PR/677145: This issue has been
resolved.]
• In the J-Web interface, on the Redundant Trunk Group (RTG) Configuration page
(Configure > Switching > RTG), the Commit option is not enabled. As a workaround,select the Validate and commit configuration change option before modifying theconfiguration. [PR/677220: This issue has been resolved.]
25Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
• In the J-Web interface, the tooltip for Fan Imagemight not load in the dashboard. As
aworkaround, view the fan status on theChassis Information page (Monitor >SystemView > Chassis Information). [PR/677922: This issue has been resolved.]
• In the J-Web interface, the dashboard is not displayed. [PR/700274: This issue has
been resolved.]
Layer 2 and Layer 3 Protocols
• If a router or switch acting as both an autonomous system boundary router (ASBR)
andanareaborder router (ABR) is reachable throughboth abackbonearea anda stub
area, and if the advertisement through stub area advertising has a higher metric than
the advertisement through the backbone area, the external routes might be installed
incorrectly in the routing table. The routing table entry incorrectly shows that the next
hop is through the stub area. [PR/610813: This issue has been resolved.]
• When a BGP interface is flapping quickly, BGPmight unnecessarily withdraw prefixes
even when a good route to that prefix still exists. [PR/677191: This issue has been
resolved.]
• In the J-Web interface, if you discard any availableMIB profile, file, or predefined object
from accounting-options on the Point and Click CLI Configuration page (Configure >CLITools>PointandClickCLI), the J-Websession timesout.Asaworkaround,performthe same operation from the CLI. [PR/689261: This issue has been resolved.]
Management and RMON
• When you configure sFlowmonitoring technology, the switch allows you to configure
separate ingress and egress sample rates on the same interface. Configuring more
than one sample rate on an interface can lead to inaccurate results, so configure just
one rate per interface. [PR/582521: This issue has been resolved.]
• The dot1qVlanStaticUntaggedPortsMIB reports incorrect values for voice VLANs.
[PR/658559: This issue has been resolved.]
• When you configure both sFlowmonitoring technology and port mirroring features,
parity errors might occur, which might cause the switch to crash and then reboot.
[PR/658614: This issue has been resolved.]
• sFlow technology does not support IPv6 collectors, source IP addresses, or agent IDs.
In Junos OS releases previous to this one, configuration of these features was not
blocked. If your configuration includes any of these features, youmust remove them
before upgrading to this JunosOS release. [PR/659922: This issue has been resolved.]
• When you create a static ARP entry for an interface and then issue the show snmpmib
walk command, the static ARP entry is incorrectly identified in the command output
as a dynamic entry (3) rather than a static entry (4). [PR/662290: This issue has been
resolved.]
• When the system is being polled for SNMP statistics, the syslog message "Process
(930,mib2d) attempted to exceed RLIMIT_DATA: attempted 65552 KBMax 65536
KB"might appear repeatedly in the system log (syslog) file. This is the result of a
memory leak caused by the MIB2 process (mib2d). [PR/664475: This issue has been
resolved.]
Copyright © 2011, Juniper Networks, Inc.26
Junos OS 11.4 Release Notes
• When you use the snmpwalk application to get information about switch interfaces,
it returns information about incorrect interfaces. [PR/664940: This issue has been
resolved.]
• For EX Series switches, sFlow technology and routing policy have been removed from
the extended feature license (EFL). An EFL is now required only for the following
features: Q-in-Q tunneling, BFD liveness detection, connectivity fault management
(CFM), IGMP, MSDP, OSPFv2, PIM and PIM sparse mode, real-time performance
monitoring (RPM), service VLANs (S-VLANs), unicast reverse path forwarding (RPF),
virtual routers, and VRRP. [PR/672346: This issue has been resolved.]
Multicast Protocols
• Youmight not be able to delete stale multicast routes even though no corresponding
(S, G) traffic exists. [PR/674419: This issue has been resolved.]
• If interfaces go up and down frequently, a memory leak might occur and cfmd and
mcsnoopd core files might be created. [PR/688356: This issue has been resolved.]
• Approximately every 300 seconds, a multicast route entry is deleted and added back
again, resulting in a traffic loss of about 1-3 seconds. [PR/698129: This issue has been
resolved.]
Power over Ethernet
• On EX2200-C switches, two problemsmight occur when devices powered by Power
over Ethernet (PoE) are connected to the switch and the switch reboots. The first
problem occurs when PoE is enabled on the switch interfaces. The powered devices
connected to those interfaces drawpowerwhile the switch is rebooting, and then after
the switch stabilizes, the powered devices reboot twice. The second problem occurs
when PoE is disabled on the switch interfaces. The powered devices connected to
those interfaces draw power while the switch is rebooting, and then after the switch
stabilizes, the powered devices reboot twice and then shut down. As a workaround, if
you do not want the powered devices to reboot, connect them to the interfaces after
the switch has stabilized after its reboot. [PR/675971: This issue has been resolved.]
Software Installation and Upgrade
• On an XRE200 External Routing Engine, the rescue configuration might not get
synchronized with the backup XRE200 External Routing Engine. [PR/687797: This
issue has been resolved.]
Virtual Chassis
• On a Virtual Chassis that is configured with a private VLAN (PVLAN) and a link
aggregation group (LAG), if the Virtual Chassis loses one of its members, traffic flow
might not resumeproperly across the remaining LAGmembers, resulting in traffic loss.
[PR/587953:This issue has been resolved.]
• On EX8200 Virtual Chassis, the link status of an aggregated Ethernet (ae-) interface
managed by LACP goes down and comes back up when a graceful Routing Engine
switchover (GRES) operation is performed between the XRE200 External Routing
27Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for EX Series Switches
Engines. This switchover might have been initiated from the Junos OS CLI or because
of a failure of the master Routing Engine. [PR/599772: This issue has been resolved.]
• On EX8200 Virtual Chassis running a Junos OS image with resilient dual-root
partitioning, when the kernel synchronization process (ksyncd) on the backup Routing
Engines fails or when themaster and backup Routing Engines are out of sync, both
conditions that create a ksyncd core file, it might take more than 12 minutes for the
core file to be created. During this time, the Virtual Chassis is highly unstable: the
Routing Engine CPU is at 100 percent; all control protocols, such as BFD, IS-IS, and
OSPF, are constantly stopping and restarting; and theCLI prompt is not displayedafter
you type a CLI command. This issue does not occur with nonresilient dual-root
partitioning Junos OS images. [PR/609061: This issue has been resolved.]
• On EX4200 Virtual Chassis, if you configure an interface hold time, when you insert or
remove a transceiver, the chassis manager process (chassism)might create a core
file. As aworkaround, delete the hold-time statement from the interface configuration.
[PR/664754: This issue has been resolved.]
• OnEX8200Virtual Chassis, if the topology is formed such that ingressmulticast traffic
is routed first to the rendezvous point (RP) and then returns to the Virtual Chassis for
egress via Layer 2 multicast, the multicast traffic is forwarded only to receivers
connected to the Virtual Chassis member in which the returnedmulticast traffic is
received. Multicast traffic is not forwarded to other receivers in other Virtual Chassis
members. [PR/666355: This issue has been resolved.]
• OnEX8200Virtual Chassis, GRE-tunneled traffic is not transmittedacross the chassis.
For possible workarounds, contact JTAC. [PR/669513: This issue has been resolved.]
• In Virtual Chassis composed of both EX4200 and EX4500 switches, you cannot
configure PoE. [PR/671980: This issue has been resolved.]
• WhenEX4200andEX4500switches are interconnected into the sameVirtual Chassis
to form amixed EX4200 and EX4500 Virtual Chassis, the switches might fail to form
a Virtual Chassis. [PR/681072: This issue has been resolved.]
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series Switches
• Changes to the Junos OS for EX Series Switches Documentation on page 29
• Errata on page 29
Copyright © 2011, Juniper Networks, Inc.28
Junos OS 11.4 Release Notes
Changes to the Junos OS for EX Series Switches Documentation
There are no changes to the documentation for Junos OS Release 11.4R1 for EX Series
switches.
Errata
There are no outstanding issues with the documentation for Junos OS Release 11.4R1 for
EX Series switches.
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
on page 29
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
This section describes how to upgrade to or downgrade from Junos OS Release 11.4.
NOTE: If you are upgrading from Release 10.4R2 or earlier, youmust installnew loader software as part of the upgrade process. This special softwareupgrade takes a little more time to complete than a standard upgrade. See“Upgrading from Junos OS Release 10.4R2 or Earlier” on page 31 forinstructions.
These instructions discuss the following subjects:
• Upgrade and Downgrade Support Policy for Junos OS Releases on page 29
• Upgrading from Junos OS Release 10.4R3 or Later on page 30
• Upgrading from Junos OS Release 10.4R2 or Earlier on page 31
• Downgrading to Junos OS Release 10.4R2 or Earlier on page 45
• Downgrading to an Earlier Junos OS Release on page 46
• Upgrading EX Series Switches Using NSSU on page 46
Upgrade and Downgrade Support Policy for Junos OS Releases
Support for upgrades and downgrades that spanmore than three Junos OS releases at
a time is not provided, except for releases that are designated as Extended End-of-Life
(EEOL) releases. EEOL releases provide direct upgrade and downgrade paths—you can
upgrade directly from one EEOL release to the next EEOL release even though EEOL
releases generally occur in increments beyond three releases.
29Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
You can upgrade or downgrade to the EEOL release that occurs directly before or after
the currently installed EEOL release, or to twoEEOL releases before or after. For example,
JunosOSReleases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from JunosOS
Release 10.0 toRelease 10.4 or even from JunosOSRelease 10.0 toRelease 11.4. However,
you cannot upgrade directly from a non-EEOL release that is more than three releases
ahead or behind. For example, you cannot directly upgrade from Junos OS Release 10.3
(a non-EEOL release) to Junos OS Release 11.4 or directly downgrade from Junos OS
Release 11.4 to Junos OS Release 10.3.
To upgrade or downgrade fromanon-EEOL release to a releasemore than three releases
before or after, first upgrade to the next EEOL release and then upgrade or downgrade
from that EEOL release to your target release.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Upgrading from Junos OS Release 10.4R3 or Later
This section contains the procedure for upgrading from Junos OS Release 10.4R3 or later
to Junos 11.4. You can use this procedure to upgrade Junos OS on a standalone EX Series
switch with a single Routing Engine and to upgrade all members of a Virtual Chassis or
a single member of a Virtual Chassis.
Toupgrade JunosOSonastandaloneEX6200switchorEX8200switchwithdualRouting
Engines, see Installing Software on an EX Series Switch with Redundant Routing Engines
(CLI Procedure).
On EX8200 switches and EX8200 Virtual Chassis, you can also use nonstop software
upgrade (NSSU) to upgrade Junos OS as described in “Upgrading EX Series Switches
Using NSSU” on page 46.
To upgrade Junos OS on a switch with a single Routing Engine or on a Virtual Chassis:
1. Download the software packageasdescribed inDownloadingSoftwarePackages from
Juniper Networks.
2. (Optional) Back up the current software configuration to a second storage option.
See the Junos OS Installation and Upgrade Guide for instructions.
3. (Optional) Copy the software package to the switch. We recommend that you use
FTP to copy the file to the /var/tmp directory.
This step is optional because you can also upgrade Junos OS using a software image
that is stored at a remote location.
4. Install the new software package on the switch:
user@switch> request system software add package
Replace packagewith one of the following paths:
• /var/tmp/package.tgz—For a software package in a local directory on the switch
• ftp://hostname/pathname/package.tgz or
http://hostname/pathname/package.tgz—Forasoftwarepackageona remoteserver
Copyright © 2011, Juniper Networks, Inc.30
Junos OS 11.4 Release Notes
package.tgz is the name of the package; for example,
jinstall-ex-4200-11.4R1.8-domestic-signed.tgz.
To install software packages on all switches in a mixed EX4200 and EX4500 Virtual
Chassis, use the set option to specify both the EX4200 package and the EX4500
package:
user@switch> request system software add set [package package]
To install the software package on only onemember of a Virtual Chassis, include the
member option:
user@switch> request system software add packagemembermember-id
Other members of the Virtual Chassis are not affected. To install the software on all
members of the Virtual Chassis, do not include themember option.
NOTE: To abort the installation, do not reboot your device. Instead, finishthe installation, then issue the request system software delete package.tgz
command, where package.tgz is the name of the package; for example,
jinstall-ex-8200-11.4R1.8-domestic-signed.tgz. This is the last chance to
stop the installation.
5. Reboot the switch to start the new software:
user@switch> request system reboot
To reboot only a single member in a Virtual Chassis, include themember option:
user@switch> request system rebootmember
6. After the reboot has completed, log in and verify that the new version of the software
is properly installed:
user@switch> show version
Upgrading from Junos OS Release 10.4R2 or Earlier
Because of the introduction of resilient dual-root partitions in Release 10.4R3, upgrading
to Junos OS Release 11.4 from Release 10.4R2 or earlier requires a different procedure
than the one for upgrading fromRelease 10.4R3 or later. The dual-root partitions feature
incorporates enhancements that add additional steps when you upgrade from a release
thatdoesnot support resilientdual-rootpartitions toone thatdoes.Onceyouare running
a release that supports resilient dual-root partitions, suchasRelease 11.4, future upgrades
will not require these additional steps.
31Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
The following points summarize the differences between this upgrade and previous
upgrades:
• The disk partitions are automatically reformatted to four partitions during the reboot
of the switch that completes the JunosOSupgrade. The reformat increases the reboot
time for EX8200 switches by 10 to 25minutes per Routing Engine. For other switches,
the increase in boot time is 5 to 10minutes.
• The configuration files in /config are saved in volatile memory before the reformat and
then restored after the reformat. However, the files in /var are not saved and are lost
after the upgrade.
NOTE: We recommend that you copy your data files to external mediausing the request system snapshot command before you perform the
upgrade. Files in the /var directory, such as log files and user /home
directories, are not saved. In addition, a power failure during the rebootcould cause the configuration files to be lost.
• Youmust upgrade the loader software. You upgrade the loader software by installing
the loader software package from the CLI.
NOTE: Toobtain the loader softwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
On switches other than EX8200 switches, upgrading the loader software does not
significantly increase upgrade time because you can complete the upgrade of both
Junos OS and the loader software with a single reboot.
On EX8200 switches, upgrading the loader software requires an additional reboot per
Routing Engine because of the way the loader software is stored in the flash memory.
On EX8200 switches only, you can verify that the loader software requires upgrading
before you perform the upgrade—if the loader software does not need upgrading, the
additional reboot per Routing Engine is not required.
NOTE: If you upgrade to Release 11.4 and do not upgrade the loadersoftware, the switch will come up andwill function normally. However, ifthe switch cannot boot from the active root partition, it will not be able totransparently boot from the alternate root partition.
Table 1 on page 33 lists the installation packages required to upgrade the loader
software.
Copyright © 2011, Juniper Networks, Inc.32
Junos OS 11.4 Release Notes
Table 1:Required InstallationPackagesforUpgradingtheLoaderSoftware
Installation PackagePlatform
jloader-ex-2200-11.3build-signed.tgzEX2200 switch
jloader-ex-3242-11.3build-signed.tgzEX3200 switch
jloader-ex-3242-11.3build-signed.tgzEX4200 switch
jloader-ex-4500-11.3build-signed.tgzEX4500 switch
jloader-ex-8200-11.3build-signed.tgzEX8200 switch
The loader software does not need to be upgraded.XRE200 External Routing Engine
• When you upgrade to a release that supports resilient dual-root partitions from one
that does not, the upgrade process automatically copies the contents of the primary
root partition to the alternate root partition at the endof the upgradeprocess. Because
the resilient dual-root partitions feature enables the switch to boot transparently from
the alternate root partition, we recommend that you use the request system snapshot
command to copy the contents of the primary root partition to the alternate root
partition after all Junos OS upgrades to releases that include dual-root partitions.
NOTE: If youupgrade the loadersoftware inaseparatestepafter youupgradeJunos OS, users might see the followingmessage when they log in to theswitch:
At least one package installed on this device has limited support
This message can be safely ignored.
You can permanently remove this message by deleting the loader softwarepackage and rebooting the system. For example, on an EX4200 switch:
user@switch> request system software delete jloader-ex-3242Unmounted /packages/mnt/jloader-ex-3242-11.3 ...
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
The followingpages includemoredetailed instructions forperformingasoftwareupgrade
from Release 10.4R2 or earlier:
• DeterminingWhether the Loader Software Needs Upgrading on EX8200 Switches
and EX8200 Virtual Chassis on page 34
• Installing theLoaderSoftwareand JunosOSonEX2200,EX3200,StandaloneEX4200,
and Standalone EX4500 Switches on page 35
• Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis on page 36
33Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
• Upgrading the Loader Software on EX4500 Virtual Chassis and Mixed EX4200 and
EX4500 Virtual Chassis on page 38
• Upgrading Junos OS and the Loader Software on Standalone EX8200
Switches on page 39
• Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis on page 42
DeterminingWhether the Loader Software Needs Upgrading on EX8200 Switches andEX8200 Virtual Chassis
Before you begin the software upgrade on an EX8200 switch or an EX8200 Virtual
Chassis, determine whether the loader software needs upgrading. It is possible that a
switch running a JunosOS release earlier than Release 10.4R3 has a version of the loader
software installed that supports resilient dual-root partitions. For example, the switch
might have been shipped from the factory with a Junos OS release earlier than Release
10.4R3butwithaversionof the loader software that supports resilientdual-rootpartitions.
Or the switch might have been downgraded from a Junos OS release that supports
resilient dual-root partitions but still retain a version of the loader software that supports
resilient dual-root partitions.
NOTE: This procedure is available only on EX8200 switches. On all otherswitches, youmust upgrade your loader software.
To determine whether the loader software needs upgrading:
1. Determine the version of the loader software:
user@switch> show chassis firmwarePart Type VersionFPC 6 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 7 U-Boot U-Boot 1.1.6 (Jan 13 2009 - 06:55:22) 2.3.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2Routing Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
NOTE: OnanEX8200Virtual Chassis, you cannot execute this commandon themaster external Routing Engine. The commandmust be executedon eachmember switch:
1. From themaster external Routing Engine, start a shell session on themember switch. For example:
user@external-routing-engine> request sessionmember 0
2. Enter the CLI and execute the show chassis firmware command.
3. Repeat these steps for the other member switch.
Copyright © 2011, Juniper Networks, Inc.34
Junos OS 11.4 Release Notes
The loader software version appears after the timestamp for U-Boot 1.1.6. In the
preceding example, the version is 3.5.0. (Ignore the 1.1.6 version information inU-Boot
1.1.6—it does not indicate whether or not the version of the loader software supports
resilient dual-root partitioning.)
2. If the loader software version is3.5.0or later onEX8200switches, your loader software
does not need upgrading to support resilient dual-root partitioning. To upgrade to
Release 11.4, install Junos OS, following the standard installation procedures. See
“Upgrading from Junos OS Release 10.4R3 or Later” on page 30.
3. If the loader software version is earlier than 3.5.0, you must upgrade your loader
software. Follow the instructions in “Upgrading Junos OS and the Loader Software
onStandaloneEX8200Switches” onpage39or “Upgrading JunosOSand the Loader
Software on EX8200 Virtual Chassis” on page 42.
Installing the Loader Software and JunosOSonEX2200, EX3200, Standalone EX4200,and Standalone EX4500 Switches
To upgrade the loader software and JunosOSon EX2200, EX3200, standalone EX4200,
and standalone EX4500 switches:
1. Download the loader software package and the Junos OS package from the Juniper
Networks website as described in Downloading Software Packages from Juniper
Networks. Place the software packages on an internal software distribution site or in
a local directory on the switch. We recommend using /var/tmp as the local directory
on the switch.
NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
2. Install the loader package:
user@switch> request system software add package
Replace packagewith one of the following paths:
• For a software package in the /var/tmp directory on the
switch—/var/tmp/package.tgz
• For a software package on a remote server:
• ftp://hostname/pathname/package.tgz
• http://hostname/pathname/package.tgz
where package.tgz is, for example, jloader-ex-3242-11.3build-signed.tgz.
3. Install the Junos OS package, following the same procedure you used to install the
loader software package.
4. Reboot the switch:
35Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
If you are monitoring the reboot from the console, you seemessages similar to the
following during the partition reformat:
Disk needs to be formatted in order to proceedSaving the configuration in memory before formatting the diskFILE SYSTEM CLEAN; SKIPPING CHECKSclean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)32+0 records in32+0 records out16384 bytes transferred in 0.033161 secs (494075 bytes/sec)******* Working on device /dev/da0 *******...Restoring configuration
5. Verify that the loader software has been upgraded:
user@switch> show chassis firmwarePart Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 28 2011 - 04:09:20)1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
The U-Boot version that follows the date information must be 1.0.0 or later.
6. Verify that Junos OS has been upgraded:
user@switch> show version
Upgrading the Loader Software and Junos OS on EX4200 Virtual Chassis
You perform the upgrade of the loader software and Junos OS on an EX4200 Virtual
Chassis fromtheVirtualChassismaster switch. Themaster switchpushes the installation
packages to all Virtual Chassis members.
NOTE: It is required that a Virtual Chassis has the same version of Junos OSinstalled on all members in the Virtual Chassis. It is not recommended toinstall different versions of Junos OS on individual members of a VirtualChassis, or to upgrademembers individually. Upgrading individualmembersof a Virtual Chassis is not recommended, and could cause Virtual Chassisinstability if runningmultiple Junos OS versions on individual members in aVirtualChassis. SeeUnderstandingAutomaticSoftwareUpdateonEX4200and
EX4500 Virtual Chassis Member Switches and Replacing a Member Switch of
an EX4200 or EX4500 Virtual Chassis Configuration (CLI Procedure).
Copyright © 2011, Juniper Networks, Inc.36
Junos OS 11.4 Release Notes
To upgrade the loader software and Junos OS:
1. Download the loader software package and the Junos OS package from the Juniper
Networks website as described in Downloading Software Packages from Juniper
Networks. Place the software packages on an internal software distribution site or in
a local directory on themaster switch. We recommend using /var/tmp as the local
directory on themaster switch.
NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
2. Log in to the master of the Virtual Chassis.
3. Install the loader software package:
• To install the package on all members of the Virtual Chassis:
user@switch> request system software add package
• To install the package on a single member of the Virtual Chassis:
user@switch> request system software add packagemembermember-id
Replace packagewith one of the following paths:
• For a software package in the /var/tmp directory on the
switch—/var/tmp/package.tgz
• For a software package on a remote server:
• ftp://hostname/pathname/package.tgz
• http://hostname/pathname/package.tgz
where package.tgz is, for example, jloader-ex-3242-11.3build-signed.tgz.
4. Install the Junos OS package, following the same procedure you used to install the
loader software package.
5. Reboot the Virtual Chassis (to reboot a single member, use themember option):
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
If you are monitoring the reboot from the console, you seemessages similar to the
following during the disk reformat:
Disk needs to be formatted in order to proceedSaving the configuration in memory before formatting the diskFILE SYSTEM CLEAN; SKIPPING CHECKSclean, 31543 free (10 frags, 3953 blocks, 0.0% fragmentation)32+0 records in32+0 records out16384 bytes transferred in 0.033161 secs (494075 bytes/sec)******* Working on device /dev/da0 *******
37Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
.
.
.Restoring configuration
6. Verify that the new version of the loader software is on all members of the Virtual
Chassis:
user@switch> show chassis firmwarefpc0:--------------------------------------------------------------------------Part Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
The U-Boot version that follows the date information must be 1.0.0 or later.
7. Verify that the new Junos OS release is on all members of the Virtual Chassis:
user@switch> show version
Upgrading the Loader Software on EX4500 Virtual Chassis andMixed EX4200 andEX4500 Virtual Chassis
To create an EX4500 Virtual Chassis or a mixed EX4200 and EX4500 Virtual Chassis,
youmust upgrade Junos OS on themember switches to Release 11.1 or later before you
form the Virtual Chassis. For instructions on how to upgrade Junos OS and the loader
software on themember switches before they are part of the Virtual Chassis, see
“Installing the Loader Software and JunosOSonEX2200, EX3200, Standalone EX4200,
and Standalone EX4500 Switches” on page 35.
If youdidnot upgrade the loader softwareononeormoreof themember switchesbefore
you formed theVirtualChassis, youcanuse the followingprocedure toupgrade the loader
software onmember switches after the Virtual Chassis is formed.
To upgrade the loader software:
1. Download the loader software package from the Juniper Networks website as
described inDownloadingSoftwarePackages fromJuniperNetworks. Place thesoftware
packages on an internal software distribution site or in a local directory on themaster
switch. We recommend using /var/tmp as the local directory on themaster switch.
NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
For a mixed EX4200 and EX4500 Virtual Chassis, youmust download the loader
packages for both switches.
2. Log in to the master of the Virtual Chassis.
3. Install the loader software package:
Copyright © 2011, Juniper Networks, Inc.38
Junos OS 11.4 Release Notes
• To install the package on all members of an EX4500 Virtual Chassis:
user@switch> request system software add package
• To install the package on all members of a mixed EX4200 and EX4500 Virtual
Chassis:
user@switch> request system software add set [ex4200-package ex4500-package]
• To install the package on a single member of the Virtual Chassis:
user@switch> request system software add packagemembermember-id
4. Reboot the Virtual Chassis (to reboot a single member, use themember option):
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
5. Verify that the correct version of the loader software is on all members of the Virtual
Chassis:
root@switch> show chassis firmwarefpc0:--------------------------------------------------------------------------Part Type VersionFPC 0 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4FPC 1 uboot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 1.0.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
The U-Boot version that follows the date information must be 1.0.0 or later.
Upgrading Junos OS and the Loader Software on Standalone EX8200 Switches
On EX8200 switches, youmust upgrade Junos OS before you can upgrade the loader
software.
The loader software for an EX8200 Routing Engine resides in two flash memory banks.
One bank acts as the primary bank and the Routing Engine boots from it. The other bank
is the backup bank—if the Routing Engine cannot boot from the primary bank, it boots
from the backup bank. When you upgrade the loader software, the upgraded software
is installed in the backup bank, which then becomes the new primary bank. Thus the
primary and backup banks alternate each time you upgrade the loader software, with
the primary bank containing the most recently installed version of the software and the
backup bank containing the previous version.
To upgrade the loader software on an EX8200 Routing Engine, youmust perform the
upgrade twice: once for eachbank. Eachupgrade requires a reboot of theRoutingEngine.
NOTE: If you do not upgrade the loader software in both banks and theRouting Engine boots from the previous version of the loader software in thebackup bank, the Routing Engine will not be able to boot transparently fromthe alternate root partition if it attempts to do so because it cannot bootfrom the primary root partition.
39Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
For an EX8200 switch with redundant Routing Engines, youmust upgrade the loader
software on both Routing Engines.
To upgrade the Junos OS and loader software on an EX8200 switch:
1. Download and install the Junos OS package on each Routing Engine as described in
Installing Software on an EX Series Switch with Redundant Routing Engines (CLI
Procedure) or Installing Software on an EX Series Switch with a Single Routing Engine
(CLI Procedure).
2. Download the loader software package from the Juniper Networkswebsite and place
the software package on an internal software distribution site or in a local directory
on the switch. We recommend using /var/tmp as the local directory on the switch.
NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
3. Log in to the switch and enter the shell. We recommend using a console connection.
4. (For a switchwith a single routing engine, skip this step.) Enter the CLI, and determine
which is the master and which is the backup Routing Engine:
user@switch> show chassis routing-engine
NOTE: If you do not have GRES enabled, you will not be able to use thiscommand to determine which is themaster and which is the backupRouting Engine. You can instead enter the shell and use this command todeterminemastership:
% sysctl hw.re.mastership
A return of the value 1means the Routing Engine onwhich you are logged
in is themaster.A returnof thevalue0means theRoutingEngineonwhich
you are logged in is the backup.
5. Enter the configurationmodeanddisable graceful Routing Engine switchover (GRES)
and nonstop active routing (NSR):
user@switch# deactivate chassis redundancy graceful-switchoveruser@switch# deactivate routing-options nonstop-routing
6. Login to the backup Routing Engine:
user@switch> request routing-engine login other-routing-engine
7. Install the loader package:
user@switch> request system software add package
Replace packagewith one of the following paths:
Copyright © 2011, Juniper Networks, Inc.40
Junos OS 11.4 Release Notes
• For a software package in the /var/tmp directory on the
switch—/var/tmp/package.tgz
• For a software package on a remote server:
• ftp://hostname/pathname/package.tgz
• http://hostname/pathname/package.tgz
where package.tgz is, for example, jloader-ex-8200-11.3build-signed.tgz.
8. Determine the primary bank and the version of the loader software in the bank:
% kenv | grep boot.primary.bankboot.primary.bank="0"% kenv | grep boot.verboot.ver="2.4.0"
9. Upgrade the firmware:
user@switch> request system firmware upgrade scbFirmware upgrade initiated....Please wait for ~2mins for upgrade to complete....
10. After waiting for a couple of minutes, reboot the Routing Engine:
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
11. Enter the shell and verify that the previous backup bank is now the primary bank and
that it contains the upgraded loader software:
% kenv | grep boot.primary.bankboot.primary.bank="1"% kenv | grep boot.verboot.ver="3.5.0"
12. To install the loader software in the current backup bank, repeat Step 7 through Step
11.
NOTE: If you installed the loader software package from /var/tmp, you
might need to copy the loader software package to /var/tmp again before
you can repeat Step 7through Step 11 because it is sometimes removedafter each installation.
13. (Optional) The following messagemight be displayed when a user logs in to the
system:
--- JUNOS 11.4R1.9 built 2011-03-19 22:06:32 UTCAt least one package installed on this device has limited support.Run 'file show /etc/notices/unsupported.txt' for details..
This message can be safely ignored. It appears as a result of upgrading the loader
software after you upgrade Junos OS.
You can permanently remove thismessage by removing the loader software package
and rebooting the system:
41Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
user@switch> request system software delete jloader-ex-8200Unmounted /packages/mnt/jloader-ex-8200-11.3 ...
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
14. From the configuration mode, re-enable graceful Routing Engine switchover (GRES)
and nonstop active routing (NSR):
user@switch# activate chassis redundancy graceful-switchoveruser@switch# activate routing-options nonstop-routing
15. After completing the upgrade of the loader software on the backup Routing Engine,
perform amaster switchover so the backup Routing engine becomes themaster:
user@switch> request chassis routing-enginemaster switchToggle mastership between routing engines ? [yes,no] (no) yes
Resolving mastership...Complete. The other local routing engine becomes the master.{backup}user@switch>
16. Follow the same procedure for upgrading the loader software that you used for the
original backup Routing Engine (Step 3 through Stop 14).
Upgrading Junos OS and the Loader Software on EX8200 Virtual Chassis
On EX8200 Virtual Chassis, youmust upgrade Junos OS before you can upgrade the
loader software.
To upgrade an EX8200 Virtual Chassis, youmust upgrade the loader softwad to be
upgraded.
NOTE: It is required that a Virtual Chassis has the same version of Junos OSinstalled on all members in the Virtual Chassis. It is not recommended toinstall different versions of Junos OS on individual members of a VirtualChassis, or to upgrademembers individually. Upgrading individualmembersof a Virtual Chassis is not recommended, and could cause Virtual Chassisinstability if runningmultiple Junos OS versions on individual members in aVirtual Chassis.
As described in “Upgrading Junos OS and the Loader Software on Standalone EX8200
Switches” on page 39, the loader software for a Routing Engine resides in two flash
memory banks and both banks must be upgraded with the new loader software.
Copyright © 2011, Juniper Networks, Inc.42
Junos OS 11.4 Release Notes
To upgrade the Junos OS and the loader software:
1. Download the loader software package and the Junos OS package from the Juniper
Networks website as described in Downloading Software Packages from Juniper
Networks. Place the software packages on an internal software distribution site or in
a localdirectoryon themaster externalRoutingEngine.We recommendusing /var/tmp
as the local directory.
NOTE: Toobtain the loadersoftwarepackage, see theDownloadSoftwarepage at http://www.juniper.net/support/products/junos/dom/. Click on the
version, then the Software tab, then the name of the software installpackage. In the pop-up Alert box, click on the link to the PSN document.
2. Log in to the master external Routing Engine.
3. Install the Junos OS package:
user@external-routing-engine> request system software add package
Replace packagewith one of the following paths:
• For a software package in the /var/tmp directory on the
switch—/var/tmp/package.tgz
• For a software package on a remote server:
• ftp://hostname/pathname/package.tgz
• http://hostname/pathname/package.tgz
where package.tgz is, for example, jinstall-ex-xre200-11.3R1.8-domestic-signed.tgz.
4. Reboot the Virtual Chassis:
user@external-routing-engine> request system rebootReboot the system ? [yes,no] (no) yes
5. After the reboot completes, verify that Junos OS has been upgraded on all members:
user@external-routing-engine> show version
6. DisablegracefulRoutingEngine switchover (GRES)andnonstopactive routing (NSR):
user@switch> deactivate chassis redundancy graceful-switchoveruser@switch> deactivate routing-options nonstop-routing
7. Install the loader package:
user@external-routing-engine> request system software add package
Replace packagewith the path to the loader package.
The package is pushed to eachmember switch from themaster external Routing
Engine.
43Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
8. Upgrade the loader software in the current backup banks on both Routing Engines on
amember switch (member 0 is used in the command examples):
a. Enter the CLI and log in to the member switch:
user@external-routing-engine> request sessionmember 0
b. Upgrade the firmware in the backup bank on themaster Routing Engine:
user@switch> request system firmware upgrade scbFirmware upgrade initiated....Please wait for ~2mins for upgrade to complete....
c. Wait a couple of minutes and then reboot the Routing Engine:
user@switch> request system rebootReboot the system ? [yes,no] (no) yes
d. Upgrade the firmware in the current backup bank of the backup Routing Engine
(now themaster) by repeating Step a through Step c.
Because the loader software has been upgraded in the backup banks, they now
become the primary banks.
9. After the reboots of the Routing Engines complete, log in to themember switch again
and verify that the loader software has been upgraded in the primary banks:
user@external-routing-engine> request sessionmember 0user@switch> show chassis firmwarePart Type VersionFPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00) loader FreeBSD/PowerPC U-Boot bootstrap loaderRouting Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
The U-Boot version that appears after the build date and timemust be 3.5.0 or later.
10. Upgrade the loader software in the new backup banks on both Routing Engines on
themember switch:
a. Upgrade the firmware in the backup bank on themaster Routing Engine:
user@switch> request system firmware upgrade scbFirmware upgrade initiated....Please wait for ~2mins for upgrade to complete....
b. Perform amaster switchover to make the backup Routing Engine the master
Routing Engine:
user@switch> request chassis routing-enginemaster switch
Toggle mastership between routing engines ? [yes,no] (no) yes
Youare returned to themaster externalRoutingEngineafter themaster switchover.
c. Log back in to the member switch:
Copyright © 2011, Juniper Networks, Inc.44
Junos OS 11.4 Release Notes
user@external-routing-engine> request sessionmember 0
d. Upgrade the firmware in the backup bank on the newmaster Routing Engine:
user@switch> request system firmware upgrade scbFirmware upgrade initiated....Please wait for ~2mins for upgrade to complete....
e. Verify that the loader software has been upgraded in the new primary banks on
both Routing Engines:
user@switch> show chassis firmwarePart Type VersionFPC 1 U-Boot U-Boot 1.1.6 (Mar 25 2009 - 06:13:12) 2.4.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.2FPC 5 U-Boot U-Boot 1.1.6 (Nov 5 2008 - 09:16:00) loader FreeBSD/PowerPC U-Boot bootstrap loaderRouting Engine 0 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4Routing Engine 1 U-Boot U-Boot 1.1.6 (Mar 11 2011 - 04:29:01) 3.5.0 loader FreeBSD/PowerPC U-Boot bootstrap loader 2.4
f. Exit to the master external Routing Engine.
11. Re-enable graceful Routing Engine switchover (GRES) and nonstop active routing
(NSR):
user@switch> activate chassis redundancy graceful-switchoveruser@switch> activate routing-options nonstop-routing
12. Upgrade the loader software on the other member switch in the Virtual Chassis by
repeating Step 7 through Step 9.
Downgrading to Junos OS Release 10.4R2 or Earlier
When you downgrade to a Junos OS Release 10.4R2 or earlier, which are releases that
do not support resilient dual-root partitions, the downgrade process automatically:
• Reformats the disk from four partitions to three partitions during the reboot of the
switch that completes the Junos OS downgrade. The reformat causes a one-time
increase in reboot time of 10 to 25 additional minutes per Routing Engine for EX8200
switches and 5 to 10 additional minutes for other switches.
• Disables theboot-sequencing functionof the loadersoftware.With theboot-sequencing
function disabled, the loader software behaves as it did before resilient dual-root
partitions were introduced. The loader software itself is not downgraded—there is no
need to downgrade it.
To downgrade to Release 10.4R2 or earlier:
1. Use the request system snapshot command to save your data files to external media
before you perform the downgrade.
45Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
NOTE: Files in the /config directory are saved and restored during the
downgrade process. However, files in the /var directory, such as log files
and user /home directories, are not saved. In addition, a power failure
during the reboot could cause the configuration files to be lost.
2. Install Junos OS.
Downgrading to an Earlier Junos OS Release
CAUTION: Beforeyoubegin thesoftwaredowngradeonyourEXSeriesswitch,youmust verify theminimum Junos OS release supported on the switch andthe components installed in the switch. Do not downgrade the software ona switch to a release prior to the first Junos OS release that the switch or acomponent is supported in.
To verify the first Junos OS release supported on your switch, see:
• EX2200 Switch Models
• EX3200 Switch Models
• EX3300 Switch Models
• EX4200 Switch Models
• EX4500 Switch Models
• Line Card Model and Version Compatibility in an EX8200 Switch
Upgrading EX Series Switches Using NSSU
Youcanusenonstopsoftwareupgrade(NSSU)toupgrade JunosOSreleasesonEX8200
standalone switches and EX8200Virtual Chassis. For instructions on how to perform an
upgrade using NSSU, see Upgrading Software on an EX8200 Standalone Switch Using
Nonstop Software Upgrade (CLI Procedure) or Upgrading Software on an EX8200 Virtual
Chassis Using Nonstop Software Upgrade (CLI Procedure).
Table 2 on page 47 details NSSU support per Junos OS release and provides pointers to
any known issues for particular upgrade scenarios.
Copyright © 2011, Juniper Networks, Inc.46
Junos OS 11.4 Release Notes
Table 2: Using NSSU to Upgrade Junos OS on EX8200 Switches and EX8200 Virtual Chassis
Upgrade toRelease 11.4R1or Later
Upgrade toRelease 11.3R1or Later
Upgrade toRelease 11.2R1or Later
Upgrade toRelease 11.1R5or Later
Upgrade toRelease 11.1R4
UpgradetoRelease10.4R4 orLater
UpgradefromReleasex.x
SwitchPlatform
Not supportedNot supportedNot supportedNot supportedNot supportedNotsupported
10.4R1 or10.4R2
EX8200standaloneswitch
SupportedSupportedSupportedSupportedSupportedSupported10.4R3 orlater
SupportedSupportedSupportedSupportedSupported–11.1R1 orlater
SupportedSupportedSupported–––11.2R1 orlater
SupportedSupported––––11.3R1 orlater
Supported–––––11.4R1
Not supportedNot supportedNot supportedNot supportedNot supportedNotsupported
10.4R1 orlater
EX8200VirtualChassis
Notrecommended
Notrecommended
Notrecommended
Notrecommended
Notrecommended
–11.1R1,11.1R2, or11.1R3
SupportedSupportedSupportedSupportedNotrecommended
–11.1R4
SupportedSupportedSupportedSupported––11.1R5 orlater
SupportedSupportedSupported--––11.2R1 orlater
SupportedSupported––––11.3R1 orlater
Supported–––––11.4R1 orlater
On an EX8200 Virtual Chassis, an NSSU operation can be performed only if you have
configured the XRE200 External Routing Engine member ID to be 8 or 9.
47Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for EX Series Switches
NOTE: Donotusenonstopsoftwareupgrade(NSSU)toupgradethesoftwareon an EX8200 switch from Junos OS Release 10.4 if you have configured theIGMP, MLD, or PIM protocols on the switch. If you attempt to use NSSU, yourswitchmight be left in a nonfunctional state fromwhich it is difficult torecover. If you have thesemulticast protocols configured, upgrade thesoftware on the EX8200 switch from Release 10.4 by following theinstructions in InstallingSoftwareonanEX8200SwitchwithRedundantRouting
Engines (CLI Procedure). This issue does not apply to upgrades from Release
11.1 or later.
NOTE: If you are using NSSU to upgrade the software on an EX8200 switchfrom Junos OS Release 10.4 or Release 11.1 and sFlow technology is enabled,disable sFlow technology before you perform the upgrade using NSSU. Afterthe upgrade is complete, you can reenable sFlow technology. If you do notdisable sFlow technology before you perform the upgradewith NSSU, sFlowtechnology will not work properly. This issue does not affect upgrades fromRelease 11.2 or later.
NOTE: If you are using NSSU to upgrade the software on an EX8200 switchfromJunosOSRelease 11.1 andNetBIOSsnooping isenabled,disableNetBIOSsnooping before you perform the upgrade using NSSU. After the upgrade iscomplete, youcan reenableNetBIOSsnooping. If youdonotdisableNetBIOSsnoopingbefore youperform theupgradewithNSSU,NetBIOSsnoopingwillnot work properly. This issue does not affect upgrades from Release 11.2 orlater.
RelatedDocumentation
New Features in Junos OS Release 11.4 for EX Series Switches on page 7•
• Changes inDefaultBehavior andSyntax in JunosOSRelease 11.4 for EXSeriesSwitches
on page 10
• Limitations in Junos OS Release 11.4 for EX Series Switches on page 11
• Outstanding Issues in Junos OS Release 11.4 for EX Series Switches on page 15
• Resolved Issues in Junos OS Release 11.4 for EX Series Switches on page 19
• Changes to and Errata in Documentation for Junos OS Release 11.4 for EX Series
Switches on page 28
Copyright © 2011, Juniper Networks, Inc.48
Junos OS 11.4 Release Notes
JunosOSReleaseNotesforMSeriesMultiserviceEdgeRouters,MXSeries3DUniversalEdge Routers, and T Series Core Routers
• New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series
Routers on page 49
• ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,MXSeries,
and T Series Routers on page 117
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
The Junos OS Release 11.4 documentation contains information about the following M
Series, MX Series, and T Series functionality that will not be available until a later release
of Junos OS Release 11.4:
• Class of Service on page 49
• High Availability on page 54
• Interfaces and Chassis on page 56
• Junos OS XML API and Scripting on page 73
• Layer 2 Ethernet Services on page 75
• MPLS Applications on page 75
• Network Management on page 79
• Routing Protocols on page 82
• Subscriber Access Management on page 83
• System Logging on page 109
• User Interface and Configuration on page 116
• VPNs on page 117
Class of Service
• Support for DSCP classification on customer edge links for CCC, TCC, and VPLS(MX Series routers with MPC/MIC interfaces)—Extends support for DSCP-basedbehavior aggregate (BA) classification for circuit cross-connect (CCC), translational
cross-connect (TCC), and virtual private LANservice (VPLS) onMXSeries routerswith
MPC/MIC interfaces.
DSCP-based services provide support for a uniform end-to-end quality-of-service
(QoS)model. By using the DSCP classifier, you can apply the QoS configuration for
the CCC, TCC, and VPLS families at the IP level. Therefore, you do not have to depend
on the underlying Layer 2 QoS support.
[Class of Service]
• Support for Layer 2 features on Channelized SONET/SDHOC3/STM1 (Multi-Rate)MICs with SFP (MX Series routers)—The following Layer 2 features are supported onthe Channelized SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP:
49Copyright © 2011, Juniper Networks, Inc.
Junos OS Release Notes for M Series Multiservice Edge Routers, MX Series 3D Universal Edge Routers, and T Series Core Routers
• Support for configuring interface MTU settings (range: 256–9192 bytes).
• Support for configuring High-Level Data Link Control (HDLC) payload scrambling.
• Support for crc-16 and crc-32 HDLC CRC checking modes.
• Support for configuring HDLC idle cycle flag. The default idle cycle transmit value is
is 0x7E.
• Support for the following encapsulations:
• cisco-hdlc—Cisco-compatible HDLC framing
• cisco-hdlc-ccc—Cisco-compatible HDLC framing for a circuit cross-connect
• cisco-hdlc-tcc—Cisco-compatibleHDLC framing for a translational cross-connect
• flexible-frame-relay—Multiple Frame Relay encapsulations
• frame-relay—Frame Relay encapsulation
• frame-relay-ccc—Frame Relay for a circuit cross-connect
• frame-relay-tcc—Frame Relay for a translational cross-connect
• frame-relay-ppp—Point-to-Point Protocol (PPP) over Frame Relay
• ppp—Serial Point-to-Point Protocol (PPP) device
• ppp-ccc—Serial PPP device for a circuit cross-connect
• ppp-tcc—Serial PPP device for a translational cross-connect
• MPLS circuit cross-connect
• MPLS translational cross-connect
• MPLS fast reroute
[Class of Service]
• Set IPv6 DSCP andMPLS EXP independently (M120 routers, M320 routers withEnhanced III FPCs, andMX Series routers)—On the M120, M320 with Enhanced IIIFPCs, and MX Series 3D Universal Edge Routers, you can set the packet DSCP and
MPLS EXP bits independently on IPv6 packets.
To enable this feature, include theprotocolmpls statement at the [edit class-of-service
interfaces interface-name unit logical-unit rewrite-rules dscp-ipv6 rule-name] hierarchy
level.
You can set DSCP IPv6 values only at the ingress MPLS node. This feature is not
supported on MPC/MIC interfaces.
[Class of Service]
• Unified command to display all QoS statistics (M Series, MX Series, and T Seriesrouters)—Two new options, detail and comprehensive, are added to the show
Copyright © 2011, Juniper Networks, Inc.50
Junos OS 11.4 Release Notes
class-of-service interface interface-name command. These new options are added to
provideaunifiedoperational commandthatcombines theoutputofexistingcommands
and displays all quality-of-service (QoS) parameters and statistics for physical or
logical interfaces.
The output of the show class-of-service interface interface-name detail command is a
combination of output of the following commands:
• show interfaces brief
• show interfaces filters interface-name
• show interfaces policers interface-name
• show class-of-service interface interface-name
In the showclass-of-service interface interface-namedetail command, if interface-name
is a physical interface, the QoS information is displayed for the physical interface as
well as for the logical interfaceson thephysical interface—that is, the commands listed
above are executed first for the physical interface, and then for each of the logical
interfaces. If interface-name is a logical interface, the QoS information is displayed
only for the logical interface.
The output of the show class-of-service interface interface-name comprehensive
command is a combination of output of the following commands:
• show interfaces interface-name extensive
• show interfaces queue interface-name
• show interfaces filters interface-name
• show interfaces policiers interface-name
• show firewall filter filter-name
• show policer policer-name
• show class-of-service classifier name classifier-name
• show class-of-service translation-table name trans-table-name
• show class-of-service forwarding-class
• show class-of-service traffic-control-profile tcp-name
• show class-of-service scheduler-map scheduler-map-name
• show class-of-service drop-profile drop-profile-name
• show class-of-service rewrite-rule name rewrite-rule-name
• show class-of-service fragmentation-map fragmap-name
The show class-of-service interface interface-name comprehensive command displays
a specific constructonlywhen it is attached to the interface. For example, if a translation
51Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
table is not attached to an interface, it is not displayed. The constructs are listed if they
are configured on the interface, either explicitly or through default configuration.
NOTE:• The show class-of-service interface interface-name detail and show
class-of-service interface interface-namecomprehensivecommandoutput
are a combination of existing command output and no new field orfunctionality is added in the output.
• The show class-of-service interface interface-name detail and show
class-of-service interface interface-name comprehensive commands can
be usedmainly for debugging. If you do not specify interface
interface-name and want to see the output for many interfaces together
using these commands, theremight be some delay in displaying theoutput.
• The show class-of-service interface interface-name detail and show
class-of-service interface interface-name comprehensive commands do
notdisplay routing instancestatisticsand information related to interfacesets, ATM CoS, CoS-based forwarding, and interface rangematch.
• While displaying firewall QoS output, only classical, interface-specific,and Layer 2 policers–related information is displayed.
[Class of Service, System Basics, Network Interfaces]
• Support for rewrite rules and classifiers on Ethernet pseudowires (MX Seriesrouters)—Enablesyou toconfigure rewrite rulesandclassifiersonEthernetpseudowiresthat are configured on logical tunnel interfaces. This feature is supported onMPC/MIC
modules on MX Series routers.
You can use logical tunnel interfaces to create pseudowires by connecting two virtual
routing forwarding (VRF) instances. A pseudowire can be used to represent a single
subscriber (for example, a business subscriber).
To configure this feature, create a logical interface by including the lt-fpc/pic/port
statement at the [edit interfaces] hierarchy level or the [edit logical-systems
logical-system-name interfaces] hierarchy level. Youmust specify an Ethernet
encapsulation type and inet as the family.
To configure the CoS parameters, include the rewrite-rules and classifier statements
at the [edit class-of-service] hierarchy level. You can specify inet-precedence or dscp
as the rewrite rule or the classification type.
[Class of Service, Subscriber Access]
• Policer support for aggregated Ethernet and SONET bundles (M120, M10i, M7i(CFEB-E only), M320 (SFPC only), MX240, MX480, andMX960 (DPConly)) Aggregated interfaces support single-ratepolicers, three-colormarkingpolicers,two-rate three-color marking policers, hierarchical policers, and percentage-based
policers. By default, policer bandwidth and burst size applied on aggregated bundles
are not matched to the user-configured bandwidth and burst size.
Copyright © 2011, Juniper Networks, Inc.52
Junos OS 11.4 Release Notes
Youcanconfigure interface-specific policers appliedonanaggregatedEthernetbundle
or an aggregated SONET bundle to match the effective bandwidth and burst size to
user-configured values. The shared-bandwidth-policer statement is required toachieve
this match behavior.
This capability applies toall interface-specificpolicersof the following types: single-rate
policers, single-rate three-colormarkingpolicers, two-rate three-colormarkingpolicers,
and hierarchical policers. Percentage-based policers match the bandwidth to the
user-configured values by default, and do not require shared-bandwidth-policer
configuration. The shared-bandwidth-policer statement causes a split in burst size for
percentage-based policers.
To configure this feature, include the shared-bandwidth-policer statement at the [edit
firewall policer policer-name], [edit firewall three-color-policer policer-name], or [edit
firewall hierarchical-policer policer-name] hierarchy levels.
[Class of Service]
• Configurable IEEE 802.1p inheritance support for push and swap from hidden tag(MXSeries routers)—Configurable IEEE802.1p inheritanceofpushandswapbits fromthe hidden tag of each incoming packet allows you to classify incoming packets based
on the IEEE 802.1p bits from the hidden tag.
You can configure inheritance of IEEE 802.1p bits from the hidden tag by including the
swap-by-poppush statement at the [edit interfaces interface-name unit
logical-unit-number]hierarchy level. To configure the classificationof incomingpackets
based on the IEEE 802.1p bits from the hidden tag, include the hidden statement at
the [edit class-of-service interfaces interface-name unit logical-unit-number classifiers
ieee-802.1 vlan-tag] hierarchy level.
This feature is supported on MX Series routers with DPCs, Enhanced DPCs, and
Enhanced Queuing DPCs.
[Class of Service, Ethernet Interfaces]
• Queuing support for logical tunnel interfaces (MX Series routers with MPC/MICinterfaces)—YoucanconfigureCoSschedulingparametersona logical tunnel interface.This configuration can be used to manage traffic entering a pseudowire. You can
configure the CoS scheduling and queuing parameters at the physical interface or the
logical interface level. To do this, configure a hierarchical scheduler on the physical
interface.
[Class of Service]
• DSCP rewrite enabled on T640 and T1600 routers—DSCP rewrite is supported forthe 10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP).
NOTE: This PIC is referred to as the 10-port 10-Gigabit OversubscribedEthernet PIC or 10-port 10-Gigabit OSE PIC in some softwaredocumentation.
53Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[Class of Service, T640 PIC Guide, T1600 PIC Guide]
• Extends support for Layer 2 policers onMX Series routers with MPC/MICinterfaces—Youcannowconfigure Layer 2policers for the ingressandegress interfaces
on MX Series routers with MPC/MIC interfaces. Policer types include: single-rate
two-color, single-rate three-color (color-blind and color-aware), and two-rate
three-color (color-blind and color-aware). To configure Layer 2 policing, include the
policer at the [edit firewall] hierarchy level.
[Class of Service, Policy, Network Interfaces]
High Availability
• Nonstop active routing support for RSVPOAM and BFD over RSVP—Starting withRelease 11.4, Junos OS extends the nonstop active routing support to the RSVP
Operation, Administration, and Maintenance (OAM) feature. Nonstop active routing
support for RSVP OAM ensures that the OAM state information is maintained across
the switchover. Nonstop active routing support for RSVP OAM also enables the BFD
sessions over RSVP LSPs to preserve the state information across the switchover, and
to come back online after the switchover.
However, nonstop active routing support for RSVP OAM does not include
point-to-multipoint LSPs, logical systems, and bypass and detour LSPs.
[High Availability]
• Supportforunified in-servicesoftwareupgrade(T640andT1600Routers)—Supportsunified in-service software upgrade (unified ISSU) on T640 and T1600 routers with
10-Gigabit Ethernet LAN/WAN PIC with SFP+ (PD-5-10XGE-SFPP). Unified ISSU is a
process to upgrade the system software with minimal disruption of transit traffic and
no disruption on the control plane. In this process, the new system software version
must be higher than the previous system software version. When unified ISSU
completes, the new system software state is identical to that of the system software
when the systemupgrade is performed by powering off the systemand then powering
it back on.
[High Availability]
• Support for unified in-service software upgrade (MX Series routers with FPC2 andFPC3)—Supports unified in-service software upgrade (unified ISSU) on MX Seriesrouters with FPC2 and FPC3.
The following Physical Interface Cards (PICs) on MX-FPC2 and MX-FPC3 support
unified ISSU:
MX-FPC2
• SONET/SDHOC48/STM16 (Multi-Rate) PIC with SFP (PB-1OC48-SON-B-SFP)
• SONET/SDHOC48c/STM16 with SFP (PB-1OC48-SON-SFP)
• SONET/SDHOC3c/STM1 (Multi-Rate) PIC with SFP (PB-4OC3-1OC12-SON2-SFP)
Copyright © 2011, Juniper Networks, Inc.54
Junos OS 11.4 Release Notes
• SONET/SDHOC12/STM4 (Multi-Rate) PIC with SFP (PB-4OC3-4OC12-SON-SFP)
• Channelized OC48/STM16 Enhanced IQ (IQE) PIC with SFP
(PB-1CHOC48-STM16-IQE-SFP)
MX-FPC3
• SONET/SDHOC192c/STM64 PIC (PC-1OC192-SON-VSR)
• SONET/SDHOC192c/STM64 PIC with XFP (PC-1OC192-SON-XFP)
• SONET/SDHOC48/STM16 PIC with SFP (PC-4OC48-SON-SFP)
Unified ISSU is a process to upgrade the system software with minimal disruption of
transit traffic and no disruption on the control plane. In this process, the new system
software version must be higher than the previous system software version. When
unified ISSUcompletes, thenewsystemsoftware state is identical to thatof the system
software when the system upgrade is performed by powering off the system and then
powering it back on.
[High Availability]
• Layer2bridgingsupport forMXSeriesVirtualChassis (MX240,MX480,andMX960routers with MPC/MIC interfaces)—Supports the following Layer 2 bridging featuresand applications in an MX Series Virtual Chassis configuration:
• Bridged interface configuration
• Bridge domain configuration
• Media access control (MAC) flooding and learning
• Integrated routing and bridging (IRB)
• Virtual private LAN service (VPLS)
• Redundant pseudowires for Layer 2 circuits and VPLS
Configuration of these Layer 2 bridging features works the same way for member
routers in anMXSeries Virtual Chassis as it does for standaloneMXSeries routers that
are not part of a Virtual Chassis.
[High Availability, Layer 2]
• Support forunified in-servicesoftwareupgrade(T640andT1600RouterswithType3 PICs)—Junos OS Release 11.4 supports unified in-service software upgrade (unifiedISSU)onT640andT1600routerswith4-portChannelizedSONET/SDHOC48/STM16
Enhanced IQ (IQE) PIC with SFP (PC-4OC48-STM16-IQE-SFP).
Unified ISSU is a process to upgrade the system software with minimal disruption of
transit traffic and no disruption on the control plane. In this process, the new system
software version must be higher than the previous system software version. When
unified ISSUcompletes, thenewsystemsoftware state is identical to thatof the system
software when the system upgrade is performed by powering off the system and then
powering it back on.
55Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[High Availability]
• Unified ISSU support for statistics preservation onMPC/MIC interfaces (MX Series3DUniversalEdgeRouters)—Enables support for thepreservationof interface-specificand firewall filter statistics across a unified in-service software upgrade (unified ISSU)
on an MX Series router with MPC/MIC interfaces. This support ensures that the router
maintains statistics data across the unified ISSU and that statistics counters are
operational after the unified ISSU completes.
To preserve statistics across a unified ISSU, the router stores the statistics data as
binary large objects. The router collects the statistics before the unified ISSU is
initialized, and restores the statistics after the unified ISSU completes. No statistics
are collected during the unified ISSU process.
To verify that statistics are preserved across the unified ISSU, you can issue existing
CLI operational commands such as show interfaces statistics after the unified ISSU
completes.
For a list of the MPCs andMICs that are supported during a unified ISSU onMX Series
3D Universal Edge Routers, see the Junos OS High Availability Configuration Guide.
[High Availability, Subscriber Access]
Interfaces and Chassis
• Internet Key Exchange version 2 (IKEv2)—Starting with Junos OS Release 11.4, bothIKEv1 and IKEv2are supportedbydefault onallMSeries,MXSeries, andTSeries routers.
The version statement under the [edit services ipsec-vpn ike policy name] hierarchy
allows you to configure the specific IKE version to be supported. However, if only IKEv1
is supported, Junos OS rejects IKEv2 negotiations. Similarly, if only IKEv2 is supported,
Junos OS rejects all IKEv1 negotiations.
The keymanagement process (kmd) daemon determineswhich version of IKE is used
in a negotiation. If kmd is the IKE initiator, it uses IKEv1 by default and retains the
configured version for negotiations. If kmd is the IKE responder, it accepts connections
from both IKEv1 and IKEv2.
[Services Interfaces]
• Support for FrameRelayDE loss prioritymapping (M120 routers,M320 routerswithEnhanced III FPC,M7i andM10i routerswith EnhancedCompact Forwarding EngineBoard, andMX Series routers)—Enables you to define a loss priority map based ontheFrameRelaydiscardeligibility (DE)bit. To configure theFrameRelayDE losspriority
mapping, include the loss-priorityandcode-pointstatementsat the [editclass-of-service
loss-priority-maps frame-relay-de] hierarchy level. For eachmapping, the loss priority
can be high, low,medium-high, or low. The value of the code point can be 0 or 1.
The mapping does not take effect until you apply it to a logical interface. To apply a
map to a logical interface, include the frame-relay-demap-name statement at the [edit
class-of-service interfaces interface-name unit logical-unit-number loss-priority-maps]
hierarchy level:
[edit class-of-service interfaces interface-name unit logical-unit-numberloss-priority-maps]
frame-relay-demap-name;
Copyright © 2011, Juniper Networks, Inc.56
Junos OS 11.4 Release Notes
[Class of Service, System Basics, Network Interfaces]
• Support for Frame Relay DE bit rewriting on Enhanced IQ PICs (M7i, M10i, M40e,M120, M320, MX Series, and T Series routers)—Enables you to rewrite the FrameRelay discard eligibility (DE) bit by including the frame-relay-de statement at the [edit
class-of-service loss-priority-rewrites]hierarchy level. For eachmapping, the losspriority
can be high, low,medium-high, or low. The value of the code point can be 0 or 1.
The Frame Relay DE bit rewrite does not take effect until you apply it to a logical
interface. To apply the Frame Relay DE bit rewrite to the logical interface, include the
frame-relay-demap-name statement at the [edit class-of-service interfaces
interface-name unit logical-unit-number loss-priority-rewrites] hierarchy level:
[edit class-of-service interfaces interface-name unit logical-unit-numberloss-priority-rewrites]
frame-relay-demap-name;
[Class of Service, System Basics, Network Interfaces]
• Support for carrying DE, FECN, and BECN bit information in Layer 2 VPN and Layer2 circuit control word (M120, M320, MX Series, and T Series routers)—Providesadditional class-of-service (CoS) support for Frame Relay services over MPLS using
Layer 2 virtual private networks (VPNs) and Layer 2 circuits.When you perform control
wordclassificationand rewrite, thediscardeligibility (DE)bit, forwardexplicit congestion
notification (FECN) bit, and backward explicit congestion notification (BECN) bit in
the incomingFrameRelaypacket for thecircuit cross-connect (CCC) familyaremapped
to the Layer 2 circuit control word across theMPLS backbone. To enable thismapping,
include the translate-discard-eligible and translate-fecn-and-becn statements at the
[edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level.
You can classify and rewrite the control word DE bit based on the packet loss priority
(PLP) by using the translate-plp-control-word-de statement at the [edit interfaces
interface-name unit logical-unit-number family ccc] hierarchy level. When you configure
the translate-plp-control-word-de statement on the ingress PE router, the DE bit in the
control word is rewritten based on the PLP. When you configure the
translate-plp-control-word-de statement on the egress PE router, the PLP is derived
based on the control word DE bit and the DE bit in the outgoing Frame Relay header
is rewritten based on the PLP. By default, control word classification and rewrite is
disabled. Themapping of the PLP to the DE bit in the control word and the outgoing
Frame Relay packet is fixed. For rewriting, the PLP values low andmedium-low are
mapped to the DE bit 0 and the PLP values high andmedium-high are mapped to the
DE bit 1. For classifying, the DE bit 0 is mapped to the PLP value low and the DE bit 1 is
mapped to the PLP value high.
To enable control word classification and rewrite, include the following statements at
the [edit interfaces interface-name unit logical-unit-number family ccc] hierarchy level:
[edit interfaces interface-name unit logical-unit-number ]{encapsulation frame-relay-ccc;point-to-point;
dlci dlci-number;family ccc {translate-discard-eligible;
57Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
translate-fecn-and-becn;translate-plp-control-word-de;
}}
NOTE: The translate-discard-eligible and translate-plp-control-word-de
statements aremutually exclusive—that is, you can configure only one ofthese statements.
[Network Interfaces]
• Extends support for the Two-Way Active Measurement Protocol (TWAMP) onMXSeries routerswithMPC/MIC interfaces—You can nowconfigure TWAMP(RFC5357)
onMXSeries routerswithMPC/MIC interfaces. ToconfigureTWAMPproperties, include
the twamp statement at the [edit services rpm] hierarchy level. In previous Junos OS
releases, this feature was supported on M Series and T Series routers that support
MultiservicesPICs (running ineither Layer 2or Layer 3mode), andonMXSeries routers.
[Services Interfaces]
• Connecting the JCS1200 Platform to a TXMatrix Plus Router now supported.
Both RSD (root system domain) and PSD (protected system domain) are now
supported on TXMatrix Plus routers.
To configure multi-chassis PSD, include the lcc number fpcs number statement at the
[edit chassis system-domainsprotectedsystemdomains ]hierarchy level. Up to 12 FPCs
can be configured for a PSD.
show chassis psd is now also supported on TXMatrix Plus routers.
[Protected System Domain, System Basics, JCS1200 Control System Hardware Guide,
TXMatrix Plus Hardware Guide ]
• Connecting the JCS1200 platform to a TXMatrix Plus Router now supported—BothRSD (root system domain) and PSD (protected system domain) are now supported
on TXMatrix Plus routers.
A Protected System Domain (PSD) system consists of a redundant Routing Engine
pair (or single Routing Engine) on the JCS1200 platform, matched with one or more
Flexible PIC Concentrators (FPCs) on a T Series router. You can now connect a TX
Matrix Plus router to the JCS1200 platform to function as a PSD. To configure
multi-chassis PSD, include the lcc number fpcs number statement at the [edit chassis
system-domains protected system domains ] hierarchy level. Up to 12 FPCs can be
configured for a PSD.
show chassis psd is now also supported on TXMatrix Plus routers.
[ProtectedSystemDomain,SystemBasics, JCS1200Control SystemHardware,TXMatrix
Plus Hardware Guide ]
• Support for 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) on T1600 and T640routers—The 40-Gigabit Ethernet PIC with CFP (PD-1XLE-CFP) is a 1-port 40-GigabitEthernet Type 4 PIC with C form-factor pluggable (CFP) optics supported on T1600
Copyright © 2011, Juniper Networks, Inc.58
Junos OS 11.4 Release Notes
and T640 routers. The 40-Gigabit Ethernet PIC with CFP occupies FPC slot 0 or 1 in
the Type 4 FPC. It shares certain common features, such as flexible encapsulation and
MAC accounting, with the 4-port 10-Gigabit Ethernet LAN/WAN PIC with XFP (model
number PD-4XGE-XFP).
[Network Interfaces, InterfacesCommandReference,T640PICGuide,T1600PICGuide]
• Support for channelized SONET/SDHOC3/STM1 (Multi-Rate) MICwith SFP (MXSeries routers)—Enables support for SONET/SDH and PDH interfaces on MX Seriesrouters. There are two types of SONET/SDHOC3/STM1 (Multi-Rate) MICs with
SFP—the 8-port Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFP
(modelnumber:MIC-3D-8CHOC3-4CHOC12),andthe4-portChannelizedSONET/SDH
OC3/STM1 (Multi-Rate) MIC with SFP (model number: MIC-3D-4CHOC3-2CHOC12).
TheseMICs support POS/PDH interfaces on theMX803DUniversal Edge Routers and
other MX Series routers using the MX-MPC1-3D-Q, MX-MPC2-3D-Q, and
MX-MPC2-3D-EQMPCs to position a single device to meet multiservice edge
requirements. These MICs provide the following basic functions:
• SONET/SDH/PDH framing
• Preclassification
NOTE: CoS support is not directly available on these MICs. CoS functionsare completely implemented in thePacket Forwarding Engine. TheseMICsonly preclassify the packets.
The following features are supported on the Channelized SONET/SDHOC3/STM1
(Multi-Rate) MICs with SFP:
• Default framing on all ports is SONET.
• The MIC supports SONET and SDH framingmode on a per-port basis. To enable
SONET or SDH framing, you need to set the framing statement at the [chassis fpc
MPC-slot-number picMIC-slot-number port port-number] hierarchy level.
• TheMICsupportschannelizedOC3/STM1andchannelizedOC12/STM4configuration
on a per-port basis. You can set the speed of the port by configuring the speed
statementat the [chassis fpcMPC-slot-numberpicMIC-slot-numberportport-number]
hierarchy level.
• By default, the speed of a port is set to OC3/STM1. You can use the show interface
extensive operational mode command to view the speed of an interface.
• The MIC supports remote and local loopback. Loopbacks can be configured
independently on each port.
• Simultaneous T3 and E3 interfaces can exist on the cau4 controller-level interface.
• Simultaneous T1 and E1 interfaces can exist on the cau4 controller-level interface.
59Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
NOTE:• The Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFPdoes not support aggregate SONET (link bundling).
• The Channelized SONET/SDHOC3/STM1 (Multi-Rate) MIC with SFPdoes not support container interfaces.
• When a port is configured as channelized OC12, only six of the twelveOC1 slices canbedeep-channelized fromT1 throughDS0.The remainingsix OC1 slices can be channelized only to T3 or can be combined to formtwo OC3 slices. They cannot be channelized to T1 or DS0.
[Channelized Interfaces, SONET/SDH Interfaces, Class of Service, System Basics]
• Support for DS3/E3MIC (MX Series routers)—Enables support for PDH interfaceson the MX80 3D Universal Edge Router and other MX Series routers using the
MX-MPC1-3D-Q, MX-MPC2-3D-Q, and MX-MPC2-3D-EQMPCs to position a single
device to meet multiservice edge requirements. You can configure the DS3/E3 MIC
(model number: MIC-3D-8DS3-E3) to function either in clear-channel mode or in
channelizedmode. When functioning in channelizedmode, the DS3/E3 MIC supports
PDH interfaces on theMX80 3DUniversal Edge Router andMX Series routers that use
MX-MPC1-3D-Q, MX-MPC2-3D-Q, or MX-MPC2-3D-EQ. When functioning in
clear-channel mode, this MIC also supports PDH interfaces on the MX-MPC1-3D and
MX-MPC2-3DMPCs.
The DS3/E3 MIC provides the following basic functions:
• PDH framing
• Preclassification
NOTE: CoS support is not directly available on this MIC. CoS functions arecompletely implemented in the Packet Forwarding Engine. The MIC onlypreclassifies the packets.
By default, the DS3/E3 MIC functions in clear-channel mode. To enable the DS3/E3
MIC to function in channelizedmode, you need to use the software license
S-MIC-3D-8CHDS3. To enable channelization, set the channelization option at the
[chassis fpcMPC-slot-number picMIC-slot-number] hierarchy level. You can use the
channelization option to channelize individual DS3 interfaces.
Copyright © 2011, Juniper Networks, Inc.60
Junos OS 11.4 Release Notes
NOTE:• You can configure the channelization option to enable channelization for
the DS3/E3MICs only. Moreover, you can use the channelization option
only on MX Series routers with Queuing and Enhanced Queuing MPCs(MX-MPC1-3D-Q, MX-MPC2-3D-Q, andMX-MPC2-3D-EQ) or on MX80routers. Configuring the channelization option on other MPCs does not
have any effect. The MIC continues to operate in clear-channel mode.
• Only clear-channel E3mode is supportedon theDS3/E3MIC. Therefore,configuring thechannelizationoptiondoesnot impact theE3functionality.
You can enable DS3 or E3 framingmode on individual ports of the DS3/E3 MIC. To do
this, set the framing statementat the [chassis fpcMPC-slot-numberpicMIC-slot-number
port port-number] hierarchy level. By default, DS3mode is enabled.
NOTE: The DS3/E3MIC does not support E3 subrate and scrambling.
[Channelized Interfaces, Class of Service, System Basics]
• EnhancedMX Switch Control Board (MX960, MX480, andMX240 routers)—TheEnhanced MX SCB uses an XF chip that provides more than 120 Gbps per slot of
bandwidth with redundancy. This SCB is supported on MX960, MX480, and MX240
routers, and consists of the following components:
• XF chip—Facilitates fabric planes
• 3 Gbps and 6 Gbps HSL2 link speed
• Front panel clock interface for future clocking support
• Frontpanel small form-factorpluggable (SFP) transceiversorSFP+externalEthernet
switch interface for future support
[MX960 3D Universal Edge Router Hardware Guide,MX480 3D Universal Edge Router
Hardware Guide,MX240 3D Universal Edge Router Hardware Guide]
• CommandoutputchangesforEnhancedMXSwitchControlBoard(MX960,MX480,andMX240 routers)—The Enhanced MX Switch Control Board (SCB) caters to thecarrier Ethernet services router and carrier Ethernet transport markets that require
higher-capacity traffic support demanding greater interface density (slot and capacity
scale), as well as improved services.
Startingwith Release 11.4, Junos OS supports the EnhancedMXSCB, thereby resulting
in the following command output changes:
61Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• show chassis environment command displays CBN SF A and CBN SF B for the
temperatures of the existing SF ASICs . For the Enhanced MX SCB, the temperature
sensor is still present, but it nowmeasures the temperature of the XF ASIC. The
display output now shows CBNXF A and CBNXF B.
• show environment cb command now includes information about new Power
Management BUS (PMBus) devices on the board, including measured voltage,
measured current, and calculated power.
• show chassis hardware command shows the new part number 750-031391, and the
description is EnhancedMX SCB.
• show chassis hardwaremodels command shows the newmodel SCBE-MX-S.
• show chassis hardware extensive command shows the new assembly ID 0x09b0.
• The output of the following commands shows amaximum of four active planes for
the Enhanced MX SCB on MX Series routers with MPCs.
• show chassis fabric summary
• show chassis fabric fpc
• show chassis fabric plane
[System Basics]
• Physical interface policers onMXSeries routerswithMPC/MIC interfaces—Physicalinterface policers are now available on the Trio chipset.
[Policy]
• Support for FIB Localization—In Junos OS Release 11.4 and later, you can configureFIB localization for a Packet Forwarding Engine. FIB localization characterizes Packet
Forwarding Engines in a router as either “FIB-Remote” or “FIB-Local”. FIB-Local Packet
Forwarding Engines install all routes from the default inet and inet6 route tables into
the Packet Forwarding Engine forwarding hardware. By default, FIB-Remote Packet
Forwarding Engines do not install routes for these tables. Instead, FIB-Remote Packet
Forwarding Engines create a default (0/0) route in the Packet Forwarding Engine
forwarding hardware for the inet and inet6 table. The default route references a next
hop or a unilist of next hops that indicate the FIB-Local Packet Forwarding Engines
that can perform full IP table lookups for received packets.
When FIB localization is configured on a router with some FPCs being FIB-Remote and
some others being FIB-Local, packets arriving on the interface of the FIB-Remote FPC
are forwarded to one of the FIB-Local FPCs for route lookup and forwarding.
Theadvantageof configuring FIB localization is that it enables upgrading the hardware
forwarding table capacity of FIB-Local Packet Forwarding Engines while not requiring
upgrades to the FIB-Remote Packet Forwarding Engines. In a typical network
deployment, FIB-Local Packet Forwarding Engines are core-facing while FIB-Remote
Packet Forwarding Engines are edge-facing. The FIB-Remote Packet Forwarding
Enginesalso load-balance traffic over theavailable set of FIB-LocalPacket Forwarding
Engines.
Copyright © 2011, Juniper Networks, Inc.62
Junos OS 11.4 Release Notes
To configure FIB localization, for IPv4 or IPv6 traffic, include the route-localization
statement at the [edit chassis] hierarchy level. To configure the Packet Forwarding
Engine of an FPC as either FIB-Local or FIB-Remote, include the fib-local or fib-remote
statement at the [edit chassis fpc fpc-number route-localization] hierarchy level. To
configure a routing policy to enable the forwarding table policy to mark route prefixes
for installation in the forwarding hardware on the FIB-Remote Packet Forwarding
Engines, include the no-route-localize statement at the [edit policy-options
policy-statement policy-name term term-name then] hierachy level.
To verify route localization information, issue the show route localization or the show
route localization detail commands.
[System Basics, Policy]
• JunosOS64-bitmigrationon theT1600Router—Unified in-service softwareupgrade(unified ISSU) is not supported when upgrading from 32-bit Junos OS to 64-bit Junos
OS because GRES and NSR features need to be disabled during the upgrade. Mixing
32-bit Junos OS and 64-bit Junos OS is not supported except for a small window of
time during the upgrade process.
• Support for IGMP snooping over MPCs (MX Series routers with MPCs)—Junos OSRelease 11.4 supports the configuration of IGMP snooping over MPCs. For information
abouthowtoconfigure IGMPsnooping, see the JunosOSMulticastProtocolsConfiguration
Guide.
[MX Series 3D Universal Edge Router Line Card Guide]
• Passive flowmonitoring support on ES-FPCs (T640 and T1600 routers)—Passivemonitoringenables you toperform lawful interceptofpackets that traverseanEthernet
link between routers or switches. Passivemonitoring support is now extended for IPv4
and IPv6 to the following PICs for the T640 and T1600 routers:
• Gigabit Ethernet PIC with SFP
• 10-Gigabit Ethernet PIC with XENPAK (T1600 router)
• SONET/SDHOC192/STM64 PIC (T1600 router)
• SONET/SDHOC192/STM64 PICs with XFP (T1600 router)
• SONET/SDHOC48c/STM16 PIC with SFP (T1600 router)
• SONET/SDHOC48/STM16 (Multi-Rate)
• SONET/SDHOC12/STM4 (Multi-Rate) PIC with SFP
• Type 1 SONET/SDHOC3/STM1 (Multi-Rate) PIC with SFP
IPv6 passive monitoring is not supported on Monitoring Services PICs. Youmust
configure port mirroring to forward the packets from the passive monitored ports to
other interfaces. To configure port mirroring, include the port-mirroring statement at
the [edit forwarding-options] hierarchy level.
Configuring the interface in passive monitoring mode automatically configures it in
promiscuousmode.Toconfigurepassivemonitoring, include thepassive-monitor-mode
63Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
statement at the [edit interfaces interface-name] hierarchy level. Gigabit Ethernet
interfaces in passive monitoring mode do not support the stacked-vlan-tagging
statement.
To remove MPLS labels, include the pop-all-labels statement at the [edit interfaces
interface-name gigether-optionsmpls] hierarchy level.
[Services Interfaces, Network Interfaces]
• Layer 2 interface statistics enhancement—On Dense Port Concentrators (DPCs) onMX Series routers, when a bridge domain is configured with an integrated routing and
bridging (IRB) interface, packets that are routed by the IRB interface and transmitted
out through a Layer 2 interface that is part of the bridge domain are now accounted
for in the corresponding Layer 2 interface statistics. Prior to Junos OS Release 11.4, the
Layer 2 interface statistics did not account for those packets that were routed by an
IRB. The show interfaces irb extensive command displays the IRB-related statistics,
while the show interfaces statistics interface-name command displays the layer 2
interface level statistics.
[Interfaces Command Reference]
• Display pseudowire Layer 2 policing statistics (MX Series routers with MPCs/MICsor enhanced DPCs)—The Junos OS routing engine, kernel, and Packet ForwardingEngine can collect the statistics for a pseudowire policer from all Packet Forwarding
Engines and display them on the Routing Engine. These statistics are displayed when
you execute the show interfaces command, if a pseudowire policer is enabled.
This feature is available for pseudowire logical interfaces at egress.
[MX Solutions Guide]
• Support for 64-bit Junos OS on T640 and TXMatrix Plus routers—Enables you torun 64-bit Junos OS on T640 and TXMatrix Plus routers. This feature also allows you
to migrate from the existing 32-bit Junos OS, without any loss of features. However,
64-bit capable Routing Engines are required for upgrading to 64-bit Junos OS. The
64-bit version of Junos OS supports:
• Physical memory of more than 4 GB.
• Increased virtual address space for applications.
The following features are not supported by 64-bit Junos OS:
• Different versions of Junos OS running in separate Routing Engines. Both Routing
Engines must have either 32-bit or 64-bit Junos OS in a single physical or virtual
chassis.
• Upgrade, without downtime, from 32-bit to 64-bit Junos OS using unified in-service
software upgrade (unified ISSU).
In Junos OS Release 11.4, no new CLI commands or alarms are introduced for this
feature.
[System Basics and Services Command Reference, Interfaces Command Reference,
Software Installation and Upgrade]
Copyright © 2011, Juniper Networks, Inc.64
Junos OS 11.4 Release Notes
• Limiting blackhole time by detecting Packet Forwarding Engine destinations thatare unreachable over the fabric (T640 and T1600 routers)—Enables the T640 andT1600 routers to limit blackhole time by detecting unreachable destination Packet
Forwarding Engines. The router signals neighboring routerswhen it cannot carry traffic
because of the inability of some or all source Packet Forwarding Engines to forward
traffic to some or all destination Packet Forwarding Engines on any fabric plane, after
interfaces have been created. This inability to forward traffic results in blackholing of
traffic by the system.
Packet Forwarding Engine destinations can become unreachable because of the
following reasons:
• The fabric Switch Interface Boards (SIBs) go offline as a result of a CLI command
or a pressed physical button.
• The fabric SIBs are turned offline by the Switch ProcessorMezzanine Board (SPMB)
because of high temperature.
• Voltage or polled I/O errors in the SIBs detected by the SPMB.
• All Packet Forwarding Engines get destination errors on all planes from remote
Packet Forwarding Engines, even when the SIBs are online.
• Complete fabric loss caused by destination timeouts, evenwhen theSIBs are online.
When the systemdetectsunreachablePacket ForwardingEnginedestinations, healing
from blackholing is attempted. If the healing fails, the system turns off the interfaces,
thereby stopping the blackholing.
The recovery process consists of the following steps:
1. Fabric plane restart phase: Healing is attempted by restarting the fabric planes one
by one.
2. Fabric plane and FPC restart phase: Healing is attempted by restarting both the
fabric planes and the FPCs. If there are bad FPCs that are unable to initiate
high-speed links to the fabric after reboot, blackholing is limited because no
interfaces are created for these FPCs.
3. FPC offline phase: Blackholing is limited by turning the FPCs offline and by turning
off interfaces because previous attempts at recovery have failed.
By default, the system limits blackhole time by detecting severely degraded fabric.
You do not need to configure anything to enable this feature. However, you can limit
recovery actions to fabric plane restart only. You need to fix the blackholing by
performing steps 2 and 3manually.
In JunosOSRelease 11.4, newalarms are added to indicatewhich FPCs are blackholing
traffic in the system and to provide information about FPCs that are turned offline to
stop the blackholing in the recovery process.
In JunosOSRelease 11.4, newerrormessagesareadded to indicatewhetherblackholing
is detected by unreachable FPCs in the system, or the blackholing is due to all planes
being offline. These messages also indicate the actions taken on FPCs and planes to
65Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
stop the blackholing—for example, FPC online, FPC offline , FPC restart, FPC power
off, plane online, and plane offline.
In Junos OS Release 11.4, two new CLI commands are introduced for this feature:
• The show chassis fabric unreachable-destinations command shows the list of
destinations that have changed from reachable to unreachable.
• The show chassis fabric reachability command shows the current state of fabric
destination reachability, based on periodic reachability checks.
[System Basics and Services Command Reference, System Log Messages Reference]
• Microcode remap (M320 andM120 routers)—M320 routers with E3 type-1 FPCs andM120 routers with a single type-1 FPCmapped to an FEB support a newmicrocode
map to resolve microcode overflow resulting in bad PIC combinations.
OnM320 routers, the newmicrocodemap is enabled by default and is the only option
available.
On M120 routers, you can enable the newmicrocodemap by using the
ucode-imem-remap statement at the [edit chassis feb slot number] hierarchy level. On
M120 routers, thedefaultmicrocodemapremainsconfigured if theucode-imem-remap
statement is not configured.
[edit chassis]febslot numberucode-imem-remap
{}
NOTE: OnM120 routers, the FEB is automatically restarted after theucode-imem-remap statement is configured and committed.
[System Basics, Network Interfaces]
• Support for ESMC or SSM quality-based clock selectionmode (MX Seriesrouters)—Enables you to decide whether clock source selection should use theconfigured or received Ethernet Synchronization Message Channel (ESMC) or
Synchronization Status Message (SSM) quality level for a qualifying interface.
If youconfigure the selection-mode statementas configured-qualityat the [edit chassis
synchronization] hierarchy level, then the clock source selection algorithm uses the
ESMC or SSM quality level configured for a qualifying interface.
If you configure the selection-mode statement as received-quality at the [edit chassis
synchronization] hierarchy level, then the clock source selection algorithm uses the
ESMC or SSM quality level received on the qualifying interface.
Inboth theselectionmodes, the interfacequalifies for clock sourceselectiononlywhen
the received ESMC or SSM quality level on the interface is equal to or better than the
configured ESMC or SSM quality level for the interface.
Copyright © 2011, Juniper Networks, Inc.66
Junos OS 11.4 Release Notes
For the selection-mode statement configuration to take effect, youmust set the
quality-mode-enable statement at the [edit chassis synchronization] hierarchy level.
To configure the ESMC or SSM quality-based clock selection mode, include the
quality-mode-enable and selection-mode statements at the [edit chassis
synchronization] hierarchy level.
[System Basics, Junos OS Configuration Statements and Commands]
• Additional MPC support for SONET/SDHOC3/STM1 (Multi-Rate) MICs with SFP(MX Series routers)—There are two types of SONET/SDH (Multi-Rate) MICs withSFP—the8-port SONET/SDHOC3/STM1 (Multi-Rate)MICwith SFP,which offers high
port density, and the 4-port SONET/SDHOC3/STM1 (Multi-Rate)MICwith SFP,which
offers low port density. These MICs were introduced in Junos OS Release 11.2. Refer to
the Junos OS 11.2 release notes for more information.
In Junos OS Release 11.2, the 8-port and 4-port SONET/SDHOC3/STM1 (Multi-Rate)
MICs with SFP are supported on the following MPCs:
• 30-Gigabit Ethernet MPC (MX-MPC1-3D)
• 30-Gigabit Ethernet Queuing MPC (MX-MPC1-3D-Q)
In Junos OS Release 11.4, the support for 8-port and 4-port SONET/SDHOC3/STM1
(Multi-Rate) MICs with SFP has been extended to the following MPCs:
• 60-Gigabit Ethernet MPC (MX-MPC2-3D)
• 60-Gigabit Ethernet Queuing MPC (MX-MPC2-3D-Q)
• 60-Gigabit Ethernet Enhanced Queuing MPC (MX-MPC2-3D-EQ)
[Network Interfaces]
• Consortium Local Management Interface extended to Frame Relay protocol (MXSeries routers)—Extended Consortium Local Management Interface (C-LMI) support
for MX Series routers with specified MICs adds support for Consortium LMI based on
the "Gang of Four" or "Consortium" standard (Section 6).
The following MICs are supported:
• MIC-8OC3OC12-4OC48-SFP—8-port Clear-Channel OC3/OC12/STM-1/STM-4,
4-port Clear-Channel OC48/STM-16
• MIC-4OC3OC12-1OC48-SFP—4-portClear-ChannelOC3/OC12/STM-1/STM-4, 1-port
Clear-Channel OC48/STM-16
• MIC-3D-8CHOC3-4CHOC12-SFP—8-port Channelized OC3/STM-1, 4-port
Channelized OC12/STM-4
• MIC-3D-4CHOC3-2CHOC12-SFP—4-port Channelized OC3/STM-1, 2-port
Channelized OC12/STM-4
• MIC-3D-8DS3-E3—8-port Clear-Channel DS3/E3
67Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
The following are also supported:
• MX80
• MX-MPC1-3D—30 GB, per port queuing, 64 KB logical interfaces
• MX-MPC2-3D—60 GB, per port queuing, 64 KB logical interfaces
• MX-MPC1-3D-Q—30GB, enhanced queuing, 128 KB queues (max 64 KB egress), 32
KB logical interfaces
• MX-MPC2-3D-Q—60 GB, enhanced queuing, 256 KB queues (max 128 KB egress),
64 KB logical interfaces
To configure C-LMI, you can use the lmi-type statement with its c-lmi option at the
[edit interfaces interface lmi] hierarchy level.
The following encapsulation types are not supported:
• frame-relay-port-ccc
• extended-frame-relay-ether-type-tcc
• frame-relay-ether-type
• frame-relay-ether-type-tcc
[Channelized Interfaces, SONET/SDH Interfaces, E1/E3/T1/T3 Interfaces, Interfaces
Fundamentals]
• IPv6 support for the dynamic flow capture (DFC) application—Starting with JunosOS Release 11.4, support for intercepting IPv6 flows through the DFC application is
extended to M320 and T Series routers. IPv6 support is configured using the family
intet6 statement under the [edit interfaces dfc-identifier unit 1] hierarchy.
[Services Interfaces]
• Support for 802.1ag connectivity faultmanagement (CFM)monitoringwith serviceprotection(MXSeries routerswithMPC/MIC interfaces)—Extendssupport for serviceprotection functionality for Carrier Ethernet transport networks on MX Series routers
withMPC/MIC interfaces. Service protection can be achieved by configuring aworking
and protect transport path. These transport paths can bemonitored using the 802.1ag
CFM protocol.
[Network Interfaces]
• Support for chassis Enhanced Network Servicesmodes (MX Series routers withMPCs)—You can configure MX Series 3D Universal Edge Routers to run in differentnetwork servicesmodes. Eachnetwork servicesmodedefineshowthechassis identifies
and uses certain modules. Junos OS Release 11.4 supports the addition of Enhanced
IP Network Services mode and Enhanced Ethernet Network Services mode.
To configure the chassis for Enhanced Network Services modes, include the
network-services statement along with either the enhanced-ip or enhanced-ethernet
service option at the [edit chassis] hierarchy level.
Copyright © 2011, Juniper Networks, Inc.68
Junos OS 11.4 Release Notes
When the chassis is configured for Enhanced IP Network Services mode, only MPCs
andMultiservices DPCs are powered on. When the chassis is configured for Enhanced
Ethernet Network Services mode, only MPCs and Multiservices DPCs are powered on
and all restrictions for operating in Ethernet Network Services mode apply. For
information about Ethernet Network Services restrictions, see “Restrictions on Junos
OS Features for MX Series Routers” in the Junos OS System Basics Configuration Guide.
NOTE: OnlyMultiservicesDPCsarepoweredonwiththeEnhancedNetworkServicesmodeoptions.NootherDPCsfunctionwith theEnhancedNetworkServicesmode options.
[System Basics]
• 6rd support for Anycast—Enables hosting of a 6rd domain onmultiple service PICsby assigning the same softwire rules to two service sets that use different service
interfaces. Only one PIC actively processes the 6rd traffic at any time. When the
currently active PIC goes down, the PIC hosting the same 6rd domain becomes active
and takes over the processing of 6rd traffic.
[Services Interfaces, Next-Generation Network Addressing]
• 6rdsupport forhairpinning—Enablespackets exitingone6rd softwire tobeprocessedby another softwire after twice NAT processing. This applies when a host behind a
softwire initiator tries to communicate with another host behind a softwire initiator.
[Services Interfaces, Next-Generation Network Addressing]
• DS-Lite support forAnycastand6PE(IPv6ProviderEdge)—Anycast enables hostingof a DS-Lite domain onmultiple service PICs by assigning the same softwire rule to
two service sets that use different service interfaces. Only one PIC actively processes
theDS-Lite traffic at any time.When thecurrently activePICgoesdown, thePIChosting
the same DS-Lite domain becomes active and takes over the processing of DS-Lite
traffic. Anycast provides these benefits:
• Service continuity and load-balancing.
• Simplified configuration—one interface address canbeusedbyoneormore softwire
initiators.
6PE is available for ISPs with MPLS-enabled networks. These networks now can use
MP-BGP to provide connectivity between the DS-Lite B4 and AFTR (or any 2 IPv6
nodes).DS-Liteproperlyhandlesencapsulationanddecapsulationdespite thepresence
of additional MPLS header information.
[Services Interfaces, Next-Generation Network Addressing Solutions]
• Support for interface level DHCP statistics (MX Series 3D Universal EdgeRouters)—DHCP local server statistics are nowmaintained per interface.The show
dhcp server statistics, show dhcpv6 server statistics, and clear dhcp server statistics
commands now display information about extended DHCP and DHCPv6 local server
statistics on the specified interface.
[System Basics Configuration Guide]
69Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• Support for connection protection optimization in CFM (MX Series routers)—Youcan now optimize connection protection in Carrier Ethernet networks using existing
continuity-checkmessage (CCM) functionality to help increase network reliability and
stability. EthernetConnectivity FaultManagement (CFM)monitorsend-to-endservices
by exchanging CCMs at a configurable periodic interval. Starting in Release 11.4, Junos
OS provides configuration support to trigger faster protection switching and faster
convergence using the interface-status type, length, and value (TLV) in CCM packets
when a failure condition is detected. Faster protection switching and convergence can
beusedwhencustomeredge (CE)devices in theEthernetdomaindetect faster service
failures and propagates the information in the interface-status TLV of the CCMs. Upon
receivingCCMs, theprovider edge(PE)devicescanconfigurecertainactions to facilitate
faster protection-switching and convergence. The features supported include:
• Configuring faster protection-switching and faster convergence using an action
profile with the action and clear-action statements.
• Configuring a primary virtual LAN (VLAN) ID using the primary-vid statement.
• ExtendingMEP functionality toacceptadifferentmaintenanceassociation identifier
(ID) from a neighbor by using the remote-maintenance-association statement.
[Network Interfaces]
• SynchronousEthernetsupport for 10-GigabitEthernetMICs inLANmode(MXSeriesrouters)—Junos OS Release 11.4 extends Synchronous Ethernet functionality on the10-Gigabit Ethernet MICs by providing support while operating in LAN framingmode.
In LANmode, the LAN frequency is directly fed by theMIC's on-board clocking circuitry.
To enable synchronous Ethernet on the 10-Gigabit Ethernet MICs, youmust enable
LAN framingmode using the framing statement's lan option at the [edit chassis fpc
fpc-slot pic pic-slot] hierarchy level.
The interface must be configured in LAN-PHYmode using the framing-mode
statement'swan-phy option at the [edit interfaces xe-fpc-slot/pic-slot/port] hierarchy
level.
[Ethernet Interfaces]
• NewMX5, MX10, andMX40 3DUniversal Edge Routers—Three new routers based
on themodular MX80 chassis are available in Junos OS Release 11.2R3. Each router is
a compact Ethernet-optimized edge router that provides provide switching and carrier
classEthernet routing. Each routerprovides full duplex, high-densityEthernet interfaces
and high-capacity switching throughput and uses the Trio chipset for increased
scalability of L2/L3 packet forwarding, buffering, and queuing.
The ports are restricted based on the router’s associated license as follows:
• MX5 router comes prepopulatedwith the Gigabit Ethernet MICwith SFP and allows
usage of all 20 ports.
• MX10 router comesprepopulatedwith theGigabit EthernetMICwithSFPandallows
usage of all 20 ports and installation of an additional MIC in MIC slot 2.
Copyright © 2011, Juniper Networks, Inc.70
Junos OS 11.4 Release Notes
• MX40 router allows usage of both MIC slots and the first two ports of the fixed
10-Gigabit Ethernet MIC (labeled 0/MIC 0).
• MX80 router allows usage of both MIC slots and all four ports of the 10-Gigabit
Ethernet MIC (labeled 0/MIC 0).
Licenses allowyou toupgrade fromone router to anotherwithout ahardware upgrade.
[MX5, MX10, MX40 and MX80 Hardware Guide, Line Card Guide]
• Licensesupport toenhanceportcapacityofMX5,MX10,andMX40routers—Enablesyou toenhance theport capacity of the routerwithoutahardwareupgrade, by installing
additional licenses. For example, an MX5 router, an MX10 router, or an MX40 router
can have the port capacity of an MX80 router, provided the required licenses are
installed. These routersuse featurepack licenses,whichprovideadditional port capacity
with the same hardware. The soft enforcement policy allows the user to use a port for
a certain period of time (usually a grace period of 30 days), and reverts if the license
for that feature is not installedafter thegraceperiod.During thegraceperiod, a reminder
to purchase the license is reported in the system logs. Licenses can be upgraded or
downgraded. When you downgrade the license, the port associated with the license
is unusable. The upgrade license model with the feature ID is described in Table 3 on
page 71.
Table 3: Upgrade LicenseModel for MX5, MX10, andMX40 Routers
Functionality AllowedFeature NameFeature ID
Allows usage of ports in MIC slot 2.MX5T to MX10T upgradef1
Allows usage of ports in MIC slot 2, and the first two ports ofMIC slot 0.
MX10T to MX40T upgradef2
Allows usage of ports in MIC slot 2, with all four ports of MICslot 0.
MX40T to MX80T upgradef3
To upgrade from one router to a higher-capacity router, appropriate licenses must be
installed. For example, to upgrade an MX5 router to an MX80 router, you must install
the licenses for all the three features listed in Table 3 on page 71. The three features
can be provided in a single license key for ease of use. Nonapplicable feature IDs in a
license key cause rejection of the license. If the user installs the license key for the f1
feature on an MX10 router, the license key gets rejected because the MX10 router
already has the port capacity associated with the license key for the f1 feature.
[Line Card Guide, System Basics and Services Command Reference]
• InlinestaticsourceNAT(MXSeries routerswithMPCs/MICs)—Enablesconfigurationof MPCs/MICs to perform static source NAT IPv4 to IPv4 address translation. Use the
new si (services-inline) interface type to define an interface that can be assigned to
an interface style or next-hop style service set containing a NAT rule for inline NAT
using the translation type basic-nat44.
71Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
NOTE: Stateful firewall functionality still requires a Multiservices DPC orMultiservices PIC for stateful firewall–related functionality.
Use the showservices inline nat statistics interface interface-name command to display
inline NAT statistics for all services-inline interfaces or a particular one.
[Services Interfaces, Network Interfaces, Systems Basics and Service Command
Reference]
• DS-Lite support for EIM, EIF, AP-P, and hairpinning—DS-Lite now supports:
• EIM (Endpoint Independent Mapping)—EIM ensures that the source address and
port are always mapped to the same address and port, irrespective of destination
IP address and port.
• EIF (Endpoint Independent Filtering)—EIF enables incoming traffic if at least one
outgoing packet was sent andmapping has not timed out.
• AP-P (Address Pooling Paired )—AP-P guarantees that an IP address is always
mapped to the same IP address irrespective of port numbers
• Hairpinning—Packets exiting one softwire can go back on another softwire after
twice NAT processing. This is usually the case when one host behind the softwire
initiator (B4) tries to communicate with a host behind another B4.
No newCLI configuration statements have been created to implement these features.
The following example shows a configuration that implements EIM, EIF, and AP-P.
nat {rule rule1 {match-direction input;term t1 {then {translated {source-pool pool1;translation-type {napt-44;
}mapping-type endpoint-independent;filtering-type {endpoint-independent;
}address-pooling paired;
}}
}}
}
[Services Interfaces, Next-Generation Network Addressing Solutions]
• Ping and traceroute available for DS-Lite softwire tunnels—You can now use ping
and traceroute to determine the status of DS-Lite softwire tunnels.
Copyright © 2011, Juniper Networks, Inc.72
Junos OS 11.4 Release Notes
• IPv6Ping—Thesoftwireaddressendpointon theDS-Litesoftwire terminator (AFTR)
is usually configured under softwire and need not be hosted on any interface. When
it is not configured on any interface or loopback, previous releases of Junos OS did
not provide replies to pings to the IPv6 softwire address. The new availability of an
IPv6pingprovidesauseful tool for the softwire initiator (B4) to verifyAFTR's softwire
address before creating a tunnel.
• IPv4 Ping—A special IPv4 address, 192.0.0.1, is reserved for AFTR. Previous releases
of Junos OS did not respond to any pings sent to this address. B4 and other IPv4
nodes can now ping to this address to see if the DS-Lite tunnel is working.
• Traceroute—AFTR now generates and forwards traceroute packets over the DS-Lite
tunnel. .
NoCLI configuration is necessary to use the new functionality. The following lines have
been added to the output of show services softwire statistics interface interface-name
ds-lite:
ICMPv4 Error Packets sent :0 ICMPv6 Packets sent :0
[Services Interfaces, Next-Generation Network Addressing Solutions]
Junos OS XML API and Scripting
• Junos XML protocol operation <load-configuration> supports loading sets ofconfigurationmode commands—In Junos XML protocol sessions, the<load-configuration> tag element supports the value set for the action attribute,which
allows the client application to provide configuration data as a set of Junos OS
configuration mode commands. When a set of configuration mode commands is
provided as a data stream, it is enclosed in the <configuration-set> tag element.When
the set is provided in a previously saved file, the <configuration-set> tag element is not
included in the file. When the action attribute has a value of set, the default and only
acceptable value for the format attribute is text.
<rpc><load-configuration url="file-location" action="set" format="text"/>
</rpc> <rpc>
<load-configuration action="set" format="text"><configuration-set>/* configuration mode commands to load */
</configuration-set></load-configuration>
</rpc>
[Junos XMLManagement Protocol Guide]
• NETCONFPerlclient installationsupports loadingprerequisites fromCPAN—Startingwith Junos OS Release 11.4, when installing the NETCONF Perl client prerequisites, the
install-prereqs.pl script provides the option to install all Perl modules that are part of
theprerequisites directly from theComprehensivePerl ArchiveNetwork (CPAN)global
repository.
73Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[NETCONF XMLManagement Protocol Guide]
• Support added for the format attribute in Junos XML API operational request tagswithin a Junos XML protocol or NETCONF session—In Junos XML protocol andNETCONFsessions, a client applicationcan include the format="text"or format="ascii"
attribute in the opening tag of operational requests. The server formats the reply as
ASCII text instead of the default XML-tagged format. The response, which is enclosed
in an output tag element within the <rpc-reply> tag element, is identical to the CLI
output except in caseswhere it includesdisallowedcharacters. The JunosXMLprotocol
server substitutes these characters with the equivalent predefined entity reference.
<rpc><operational-request> [format="(text | ascii)"]</operational-request>
</rpc><rpc-reply>
<output>operational-response
</output></rpc-reply>
[NETCONF XMLManagement Protocol Guide, Junos XMLManagement Protocol Guide]
• Support added for NETCONF sessions in the jcs:open() function—The jcs:open()function includes the option to create a session either with the Junos XML protocol
server on devices running Junos OS or with the NETCONF server on devices where
NETCONF service over SSH is enabled. The additional support for NETCONF sessions
permits automation scripts to configure andmanage devices in a multivendor
environment.
When specifying a session protocol, the SLAX syntax is:
var $connection = jcs:open(remote-hostname,session-options);
where session-options is an XML node-set that specifies the session protocol and
connection parameters. The structure of the node-set is:
var $session-options := {<method> ("junoscript" | "netconf" | "junos-netconf");<username> "username";<passphrase> "passphrase";<password> "password";<port> "port-number";
Specifying a <method> value of junoscript establishes a session with the Junos XML
protocol server on a device running Junos OS, specifying netconf establishes a session
with a NETCONF server over an SSHv2 connection, and specifying junos-netconf
establishes a session with the NETCONF server over an SSHv1 connection on a device
running Junos OS. If you do not specify a protocol, a junoscript session is created by
default.
[Junos OS Configuration and Operations Automation Guide]
• NETCONF Java toolkit for rapid development of Java applications tomanage Junosdevices—The toolkit provides an object-oriented programmatic interface to manage
Copyright © 2011, Juniper Networks, Inc.74
Junos OS 11.4 Release Notes
and configure Junos routing, switching, and security devices via NETCONF (RFC 4741)
protocol.The toolkit enablesprogrammers familiarwith the Javaprogramming language
to easily connect to a routing, switching, or security device, open a NETCONF session,
construct configuration hierarchies in XML, and create and execute operational and
configuration requests.
The NETCONF Java toolkit provides classes with methods that implement the
functionalityof theNETCONFprotocoloperationsdefined inRFC4741. All basicprotocol
operations are supported. TheNETCONFXMLmanagementprotocol usesXML-based
data encoding for configuration data and remote procedure calls. The toolkit provides
classes andmethods that aid in creating, modifying, and parsing XML.
[NETCONF Java Toolkit Guide]
Layer 2 Ethernet Services
• IPmulticast over Layer 2 trunk port support—Layer 3 multicast is now supported on
Layer 2 trunk ports through integrated routing and bridging (IRB) interfaces on the
MX80 router and on MX Series routers using Modular Port Concentrators
(MPCs)/Modular Interface Controllers (MICs).
[Layer 2]
MPLS Applications
• Support for RSVP-signaled point-to-multipoint LSPs extended to logical systems(M Series, T Series, andMX Series routers)—Starting Junos OS Release 11.4, thefollowing topologies are supported:
• A single logical system in a physical router. The logical system is one node in an
RSVP-signaled point-to-multipoint LSP.
• Multiple logical systems in a physical router, with each logical system acting as a
label-switched router (LSR). Themultiple logical systems can be unconnected,
connected to each other internally with logical tunnel (lt) interfaces, or connected
to each other externally with back-to-back connections.
• OneRSVP-signaledpoint-to-multipoint LSP,with somenodesbeing logical systems
and other nodes being physical routers.
• Support for shared risk link groups—In MPLS traffic engineering, a shared risk linkgroup (SRLG) is a set of links sharing a common resource, which affects all links in the
set if the common resource fails. These links share the same risk of failure and are
therefore considered tobelong to the sameSRLG. For example, links sharingacommon
fiber are said to be in the same SRLG because a fault with the fiber might cause all
links in the group to fail.
An SRLG is represented by a 32-bit number unique within an IGP (OSPFv2 and IS-IS)
domain. A link might belong to multiple SRLGs. The SRLG of a path in an LSP is the
set of SRLGs for all the links in the path. When computing the secondary path for an
LSP, it is preferable to find a path such that secondary and primary paths do not have
any links in common and the SRLGs for the primary and secondary paths are disjoint.
75Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
This ensures that a single point of failure on a particular link does not bring down both
the primary and the secondary paths in the LSP.
When SRLG is configured, the device uses the Constrained Shortest Path First (CSPF)
algorithmand tries tokeep the linksused for theprimaryandsecondarypathsmutually
exclusive. If the primary path goes down, the CSPF algorithm computes the secondary
path by trying to avoid links sharing any SRLGwith the primary path. In addition, when
computing the path for a bypass LSP, CSPF tries to avoid links sharing any SRLGwith
the protected links.
WhenSRLG is not configured, CSPFonly takes into account the costs of the linkswhen
computing the secondary path.
Any change in link SRLG information triggers the IGP to send LSP updates for the new
link SRLG information. CSPF recomputes the paths during the next round of
reoptimization.
Junos OS Release 11.4 and later support SRLG based on the following RFCs:
• RFC 4203.OSPF Extensions in Support of GeneralizedMulti-Protocol Label Switching
(GMPLS).
• RFC 5307. IS-IS Extensions in Support of Generalized Multi-Protocol Label Switching
(GMPLS).
To configure the SRLG name, cost, and value, include the srlg srlg-name statement at
the following hierarchy levels:
• [edit routing-options]
• [edit logical-systems logical-system-name routing-options]
The srlg srlg-name statement has the following options:
• srlg-cost—Include a cost for the SRLG ranging from 1 through 65535. The cost of
the SRLG determines the level of impact this SRLG has on the CSPF algorithm for
path computations. The higher the cost, the less likely it is for a secondary path
to share the same SRLG as the primary path. By default, the srlg-cost is 1.
• srlg-value—Include a group ID for the SRLG ranging from 1 through 4294967295.
• Associate the SRLGwith the MPLS interface at the [edit protocolsmpls interface
interface-name]or [edit logical-systems logical-system-nameprotocolsmpls interface
interface-name] hierarchy level.
• For critical links where it is imperative to keep the secondary and primary paths
completely disjoint from any common SRLG, configure the exclude-srlg statement
at the [edit protocolsmpls label-switched-path path-name] or [edit logical-systems
logical-system-name protocolsmpls label-switched-path path-name] hierarchy level.
If exclude-srlg is configured, the CSPF algorithm excludes any link belonging to the
set ofSRLGs in theprimarypath. If exclude-srlg is not configured, and if a linkbelongs
to the set of SRLGs in the primary path, CSPF adds the SRLG cost to themetric, but
still accepts the link for computing the path.
Copyright © 2011, Juniper Networks, Inc.76
Junos OS 11.4 Release Notes
• Tomake the dynamic bypass LSP and the protected link completely disjoint in any
SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface
interface-name link-protection]or [edit logical-systems logical-system-nameprotocols
rsvp interface interface-name link-protection] hierarchy level.
• Tomake themanual bypass LSP and the protected link to be completely disjoint in
any SRLG, configure the exclude-srlg statement at the [edit protocols rsvp interface
interface-name link-protection bypass destination] hierarchy level or the [edit
logical-systems logical-system-name protocols rsvp interface interface-name
link-protection bypass destination] hierarchy level.
For manual and dynamic bypass LSPs, if exclude-srlg is configured, the CSPF
algorithm excludes any link belonging to the set of SRLGs of the protected link. If
exclude-srlg is not configured, and if a link belongs to the set of SRLGs of the
protected link, CSPF adds the SRLG cost to the link metric, but still accepts the link
for computing the path.
Use the following operational mode commands to verify the SRLG configuration:
• showmpls srlg—Verify SRLG-to-value mappings and SRLG cost.
• showmpls lsp—Verify thatwhen theprimary or secondary path is up, the appropriate
SRLG values are shown.
• showmpls interface—Verify that the correct SRLG is associatedwith the appropriate
interface.
• show isis database extensive and show ospf database extensive—Verify the SRLG
values in the type length values (TLV).
• show ted database extensive and show ted link detail—Verify that the output shows
the correct SRLG on the TE link.
• showmpls admin-groups-extended—ViewMPLS extended administrative groups.
[MPLS]
• Support for MPLS feature interoperability (MX Series routers with MPC/MICinterfaces)—Extends support forMPLS feature interoperabilitywith JunosOSReleases9.5 through 10.0 on MX Series routers with MPC/MIC interfaces. MPLS features can
now interoperate between MPCs and DPCs on MX Series routers.
The following features are supported on MPC/MIC interfaces:
• Configuring up to 64 equal-cost multipaths (ECMP) next hops to load-balance the
traffic on various routes such as OSPF, BGP, and IS-IS.
• Configuring a network of RSVP-signaled MPLS routers to automatically update the
full mesh of label-switched paths (LSPs) between the provider edge (PE) routers
whenever a new PE router is added.
[System Basics Configuration Guide,MPLS Configuration Guide]
• Enhanced support for Junos Trio chipsets—Starting with Junos OS Release 11.4, the
Junos Trio chipset supports the following features:
77Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• Multicast load balancing of point-to-multipoint label-swicted-paths (LSPs) over
aggregated Ethernet child links.
• Automatic policers for MPLS point-to-multipoint LSPs.
• Display of packet and byte statistics for sub-LSPs of a point-to-multipoint LSP.
• GRES and graceful restart for MPLS point-to-multipoint LSPs.
• Multicast virtual private network (MVPN) extranet or overlapping functionality.
[MPLS, VPNs]
• LSP setup protection using facility backup fast reroute—The facility-backup fastreroute mechanism has been extended to provide setup protection for LSPs that are
in the process of being signaled. This feature is applicable in the following scenario:
1. A failed link or node is present on the strict explicit path of an LSP before the LSP
is signaled.
2. There is also a bypass LSP protecting the link or node.
3. RSVPsignals theLSP through thebypassLSP.TheLSPappearsas if itwasoriginally
set up along its primary path and then failed over to the bypass LSP because of the
link or node failure.
4. When the link or node has recovered, the LSP can be automatically reverted to the
primary path.
Both point-to-point LSPs and point-to-multipoint LSPs are supported. To enable LSP
setup protection, configure the setup-protection statement at the [edit protocols rsvp]
hierarchy level. You should configure the setup-protection statement on each of the
routers along the LSP path on which you want to enable LSP setup protection. You
should also configure IGP traffic engineering on all of the routers on the LSP path. You
can issuea showrsvpsessioncommand todeterminewhetheror not theLSPhassetup
protection enabled on a router acting as a point of local repair (PLR) or amerge point.
[MPLS Applications]
Copyright © 2011, Juniper Networks, Inc.78
Junos OS 11.4 Release Notes
NetworkManagement
• New enterprise-specific MIBs to view PPP and PPPoE information (M Series andMX Series routers)—Junos OS Release 11.4 introduces three new enterprise-specific
MIBs to extend SNMP support for PPP and PPPoE: JNX-PPP-MIB (RFC 1661),
PPP-LCP-MIB (RFC 1471), and JNX-PPPOE-MIB (RFC 2516). TheseMIBs contain PPP-
and PPPoE-related information such as the type of authentication used, interface
characteristics, status, and statistics.
You can access this information using SNMP get and get-next requests. If an attribute
is not supported, the attribute returns either zero or the default value.
This feature does not support creation or configuration of PPP or PPPoE interfaces
using the SNMP set requests.
[SNMPMIBs and Traps Reference]
• Support forP2MPMPLS-TEMIB—StartingRelease 11.3, JunosOSsupports thestandardP2MPMPLS-TE MIB as defined in draft-ietf-mpls-p2mp-te-mib-09.txt. Support for
P2MPMPLS-TE MIB augments the standard P2PMPLS-TE MIB defined in RFC 3812
andextendsSNMPsupport topoint-to-multipoint tunnel-relateddata.However, Junos
OS implementation of the standard P2MPMPLS-TE MIB does not support
mplsTeP2mpTunnelBranchPerfTable because Junos OS does not support the
corresponding table in MPLS-TE MIB.
[SNMPMIBs and Traps Reference]
• SNMPsupport forLACandLNS(MXSeries routerswithMPC/MIC interfaces)—SNMPextends support for MX Series routers with MPC/MIC interfaces acting as the L2TP
network server (LNS) and L2TP access concentrator (LAC) in Junos OS Release 11.4
and later. In earlier releases, SNMP support for LAC and LNSwas provided only for M
Series routers.
Theexistingenterprise-specificMIB, JNX-L2TP-MIB, nowmaintains tunnel andsession
information for both M Series and MX Series routers. The MX Series routers use the
Common Edge L2TP process, jl2tpd.
The following objects are not supportedon the jl2tpd LAC in jnxL2TPTunnelStatsTable
and jnxL2TPSessionStatsTable:
• jnxL2tpTunnelStatsServiceInterface (applicable to LNS only)
• jnxL2tpTunnelStatsTunnelGroup (applicable to LNS only)
• jnxL2tpSessionStatsServiceInterface (applicable to LNS only)
• jnxL2tpSessionStatsTunnelGroup (applicable to LNS only)
• jnxL2tpSessionStatsInterfaceID (Applicable to LNS only)
The following objects are not supported on jl2tpd:
• jnxL2tpSessionStatsUserName
• jnxL2tpSessionAssignedIpAddrType
79Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• jnxL2tpSessionAssignedIpAddress
• jnxL2tpSessionLocalMRU
• jnxL2tpSessionRemoteMRU
• jnxL2tpSessionStatsAuthMethod
• jnxL2tpSessionStatsNasIpAddrType
• jnxL2tpSessionStatsNasIpAddress
• jnxL2tpSessionStatsNasIpPort
• jnxL2tpSessionStatsFramedProtocol
• jnxL2tpSessionStatsFramedIpAddrType
• jnxL2tpSessionStatsFramedIpAddress
• jnxL2tpSessionStatsAcctDelayTime
• jnxL2tpSessionStatsAcctSessionID
• jnxL2tpSessionStatsAcctMethod
• jnxL2tpSessionStatsAcctSessionTime
• jnxL2tpSessionStatsAcctNasPortType
• jnxL2tpSessionStatsAcctTnlClientAuthID
• jnxL2tpSessionStatsAcctTnlServerAuthID
• jnxL2tpSessionStatsUserProfileName
The following objects in jnxL2tpTunnelStatsTable are not available on MPC/MICs:
• jnxL2tpTunnelStatsErrorTxPkts
• jnxL2tpTunnelStatsErrorRxPkts
These objects continue to be supported by the M Series routers. You can access the
tunnel- and session-related information for both the processes using SNMP get and
get-next requests. If an object is not supported, the object returns either zero or the
default value.
[SNMPMIBs and Traps Reference]
• Enhancements to the jnxOperatingCPUObject—Junos OS Release 11.3 introduces thefollowing three MIB objects to enhance the CPU utilization reporting over SNMP:
• jnxOperating1MinAvgCPU—Indicates the average utilization of CPU during the last
minute.
• jnxOperating5MinAvgCPU—Indicates the average utilization of CPU during the last
5-minute period.
Copyright © 2011, Juniper Networks, Inc.80
Junos OS 11.4 Release Notes
• jnxOperating15MinAvgCPU—Indicates the average utilization of CPU during the last
15-minute period.
All these objects return a zero value if the data is not available or is not applicable.
[SNMPMIBs and Traps Reference]
• Support for the pimNeighborLoss trap—Starting Release 11.4, Junos OS supports thepimNeighborLoss trap as defined in RFC 2934. The Junos OS implementation of RFC
2934 is based on a draft version of the PIMMIB as defined in the pimmib.mib in the
Junos OS Standard MIBs package.
The pimNeighborLoss trap is generated when the device loses the adjacency with its
only neighbor that has an IP address lower than that of the interface to which the
neighbor is connected.
[SNMPMIBs and Traps Reference]
• MIBSupport forVRFRouteEntries: StartingRelease 11.4, JunosOSextends theSNMPsupport to Layer 3 Virtual Private Network (VPN) Routing and Forwarding Table (VRF)
entries as defined in RFC 4382, MPLS/BGP Layer 3 Virtual Private Network (VPN) MIB.
The Junos OS support for RFC 4382 includes the following scalar objects and tables:
• mplsL3VpnConfiguredVrfs
• mplsL3VpnActiveVrfs
• mplsL3VpnConnectedInterfaces
• mplsL3VpnNotificationEnable
• mplsL3VpnVrfConfMaxPossRts
• mplsL3VpnVrfConfRteMxThrshTime
• mplsL3VpnIllLblRcvThrsh
• mplsL3VpnVrfTable
• mplsL3VpnIfConfTable
• mplsL3VpnVrfPerfTable
• mplsL3VpnVrfRteTable
• mplsVpnVrfRTTable
[ SNMPMIBs and Traps Reference ]
• Junos OSMIB support for VPLS: Starting with Release 11.4, Junos OS extends SNMPsupport to virtual private LAN services (VPLS) networks so that users can access
VPLS-related data over SNMP. The Junos OS SNMP support for VPLS covers both
BGP-based and LDP-based VPLS networks.
81Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
The Junos OS SNMP support for VPLS is based on the IETF standard MIB
draft-ietf-l2vpn-vpls-mib-05.txt. Juniper Networks extension of the following MIBs
defined indraft-ietf-l2vpn-vpls-mib-05.txtare implementedaspartof the jnxExperiment
branch:
• VPLS-Generic-Draft-01-MIB implemented asmib-jnx-vpls-generic.txt.
• VPLS-BGP-Draft-01-MIB implemented asmib-jnx-vpls-bgp.txt.
• VPLS-LDP-Draft-01-MIB implemented asmib-jnx-vpls-ldp.txt.
In the Junos OS implementation of these MIBs, all MIB objects are prefixed with jnx.
[SNMPMIBs and Traps Reference]
• Extendedsupport for theenterprise-specificLicenseMIB—Starting JunosOSRelease11.3, the enterprise-specific License MIB is supported on all devices running Junos OS.
The enterprise-specific LicenseMIBwas supported only on SRX deviceswhen License
MIB was introduced in Junos OS Release 11.2.
[SNMPMIBs and Traps Reference]
• SNMP poll and trap support for DHCP leases (MX Series 3D Universal EdgeRouters)—The Juniper Networks enterprise-specific DHCP and DHCPv6MIB objects,jnxJdhcpMIB and jnxJdhcpv6MIB, have beenmodified to contain a new table for
interface statistics and additional notifications. This feature includes support for gets
and traps and support for DHCP local server and relay and DHCPv6 local server.
[SNMPMIBs and Traps Reference]
• SNMP support for address counters (MX Series 3D Universal Edge Routers)—Thisfeature provides the ability to track the usage of address resources off-chassis.
[SNMPMIBs and Traps Reference]
Routing Protocols
• For internal BGP (IBGP), advertisemultiple paths to a destination (M Series, MXSeries,andTSeries routers)—For IPv4unicast (family inetunicast) routesonly, enablesan IBGPpeer to advertisemultiple exit points to reachadestination. This provides fault
tolerance, load balancing, and graceful maintenance operations.
To set thenumber of paths to send toaneighbor, include theadd-pathsendpath-count
number statement at the [edit protocolsbgpgroupgroup-nameneighboraddress family
inet unicast] hierarchy level.
To enable a peer to receive multiple paths, include the add-path receive statement at
the [edit protocols bgp group group-name family inet unicast] hierarchy level.
To apply a policy that allows aBGPpeer to sendmultiple paths for only specific routes,
include the add-path send prefix-policy policy-name statement at the [edit protocols
bgp group group-name neighbor address family inet unicast] hierarchy level.
To configure the policy, use the policy-options hierarchy level, as you normally would.
For example:
Copyright © 2011, Juniper Networks, Inc.82
Junos OS 11.4 Release Notes
user@host# set policy-options policy-statement allow_199 from route-filter199.1.1.1/32 exact
user@host# set policy-options policy-statement allow_199 then accept
[Routing Policy]
• Frequent BGP keepalivemessages and short BGPhold time—Enables BGP sessionsto send frequent keepalive messages with a hold time as short as 10 seconds. Note
that the hold time is three times the interval at which keepalive messages are sent,
and the hold time is the maximum number of seconds allowed to elapse between
successive keepalive messages that BGP receives from a peer. When establishing a
BGP connection with the local routing device, a peer sends an openmessage, which
contains a hold-time value. BGP on the local routing device uses the smaller of either
the local hold-time value or the peer’s hold-time value as the hold time for the BGP
connection between the two peers. The default hold time is 90 seconds,meaning that
the default frequency for keepalive messages is 30 seconds. More frequent keepalive
messages and shorter hold timesmight be desirable in large-scale deployments with
many active sessions (such as edge or large VPN deployments).
To configure the hold time and the frequency of keepalive messages, include the
hold-time statement at the [edit protocols bgp] hierarchy level. You can configure the
hold time at a logical-system, routing-instance, global, group, or neighbor level. When
you set a hold-time value to less than 20 seconds, we recommend that you also
configure theBGPprecision-timers statement. Theprecision-timers statementensures
that if scheduler slip messages occur, the routing device continues to send keepalive
messages. When the precision-timers statement is included, keepalive message
generation is performed in a dedicated kernel thread, which helps to prevent BGP
session flaps.
[Routing Protocols]
Subscriber AccessManagement
• Junos OS subscriber management scaling values (M120, M320, andMX Seriesrouters)—Aspreadsheet is availableonline that lists scaling values supported for JunosOSsubscribermanagementbeginningwith JunosOSRelease 10.1.Access theSubscriber
Management Scaling Values (XLS) spreadsheet from the Downloads box at
http://www.juniper.net/techpubs/en_US/junosrelease-number/information-products
/pathway-pages/subscriber-access/index.html. Substitute the number of the latest
Junos OS release for the release-number. For example, ...en_us/junos11.1/....
[Subscriber Management Scaling]
• Configuring connection speeds on the LAC (MX Series 3D Universal EdgeRouters)—You can configure the resource used by the LAC to determine the settingfor the speed of the connection from the LAC to the LNS (transmit speed) and of the
connection from the LNS to the LAC (receive speed). The LAC sends the speeds to the
LNS in Incoming-Call-Connected (ICCN)messages; the transmit speed is conveyed
by AVP 24 and the receive speed by AVP 38.
To use the recommended downstream traffic shaping rate for AVP 24 and the
recommendedupstreamshaping rate forAVP38, include the tx-connect-speed-method
83Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
advisory statement at the [edit services l2tp]hierarchy level. You configure theadvisory
rates under the PPPoE logical interface underlying the subscriber interface with the
advisory-options statement at the [edit interfaces interface-name unit
logical-unit-number] hierarchy level. If the advisory speed is not configured on the
underlying interface, then the tx-connect-speed-method advisory statement
automatically sets the speed to 1 Gbps and sends this value in both AVP 24 and AVP
38.
Alternatively, to derive the speeds from the PPPoE IA tags, use the
tx-connect-speed-method dsl-forum statement. In this case, AVP 24 is the value of
Actual-Data-Rate-Downstream (VSA 26-129). AVP 38 is the value of
Actual-Data-Rate-Upstream (26-130), and is sent only when the VSA values differ.
[Subscriber Access]
• Support for hierarchical policer as filter action (MX Series router)—This featureenables you to have hierarchial policers as one type of filter action. Hierarchial policers
rate-limit premium traffic separately from the aggregate traffic on an interface as
determined by different configured rates. This feature is useful in provider edge
applications using aggregate policing for general traffic and to apply a separate policer
for premium traffic on a logical or physical interface. To enable all hierarchical policers
of the same name in one filter to share the same policer instance in PFE, use the
filter-specific statement at the [edit firewall] hierarchy level.
[Subscriber Access]
• Unified ISSUsupport forsubscribermanagementPPPoEaccessmodel(M120,M320,andMX Series routers)—Extends support for the unified in-service software upgrade(unified ISSU) feature to the PPPoE access model used by subscriber management.
This support ensures that the router preserves all active PPPoE subscriber sessions
and session services after completion of a unified ISSU.
Unified ISSU for static anddynamicPPPoEaccess in subscribermanagement supports
the following features:
• Terminated, non-tunneled PPPoE connections configured with static or dynamic
PPP logical interfaces and static or dynamic PPPoE underlying interfaces
• Subscriber services on single-link PPP interfaces
• Preservationof statistics for accounting, filter, andclassof service (CoS)onMPC/MIC
interfaces
NOTE: Accounting statistics are not preserved after a unified ISSU onM120andM320routerswithEnhanced IntelligentQueuing2(IQ2E)PICs.
Unified ISSU for static and dynamic PPPoE access in subscriber management does
not supportMultilink Point-to-Point Protocol (MLPPP) bundle interfaces. (MLPPP
bundle interfaces require the use of an Adaptive Services PIC or Multiservices PIC to
provide PPP subscriber services. These PICs do not support unified ISSU.)
Copyright © 2011, Juniper Networks, Inc.84
Junos OS 11.4 Release Notes
You use the existing CLI statements and procedure to configure and initiate unified
ISSU for subscriber management. To display information about the state of unified
ISSU for subscriber management features, you can use the existing show system
subscriber-management summary operational command.
[Subscriber Access, High Availability]
• PPPoE encapsulation type lockout support (M120, M320, andMX Seriesrouters)—Enables you toconfigure the router toprevent (lockout)a failedor short-livedPPPoE subscriber session from reconnecting for a temporary period of time known as
the lockout period. The lockout period is derived from a formula and increases
exponentially based on the number of successive reconnection failures.
Configuring PPPoE encapsulation type lockout protects the router and any external
authentication, authorization, and accounting (AAA) servers, such as RADIUS or
Diameter, from excessive loading as a result of failed or short-lived PPPoE subscriber
sessions that occur repeatedly for the same subscriber. Subscriber sessions are
identified by their uniquemedia access control (MAC) source address.
WhenyouconfigurePPPoEencapsulation type lockout, the router detectsa short-lived
(also referred to as a short-cycle) subscriber session, determines the time between
repeated short-cycle events, and applies a time penalty for each short-cycle event
based on a default or configured lockout period. This action temporarily locks out the
specified PPPoE subscriber by preventing connection to the router. When the lockout
periodexpires, negotiationof thePPPoEsubscriber sessionandassociatedMACsource
address resumes.
ConfigurationofPPPoEencapsulation type lockout is supportedon IntelligentQueuing
2 (IQ2) PICs on M120 and M320 routers, and on MPC/MIC interfaces on MX Series
routers. You can configure PPPoE encapsulation type lockout for all of the following
static and dynamic PPPoE underlying interface types:
• Static VLAN logical interface
• Static VLAN demultiplexing (demux) logical interface
• Dynamic VLAN logical interface
• Dynamic VLAN demultiplexing (demux) logical interface
PPPoE encapsulation type lockout is disabled by default. To configure PPPoE
encapsulation type lockoutandanoptional lockoutperiod, in seconds, youmust include
the new short-cycle-protection statement at any of the following hierarchy levels:
• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family
pppoe]
• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number
family pppoe]
• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number
pppoe-underlying-options]
• [edit interfaces demux0 unit logical-unit-number family pppoe]
85Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• [edit interfaces interface-name unit logical-unit-number family pppoe]
• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number family pppoe]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number pppoe-underlying-options]
If you include the short-cycle-protection statement without specifying the lockout
period, the routeruses thedefault lockoutperiodof 1 through300seconds(5minutes).
To display information about the PPPoE encapsulation type lockout configuration on
the PPPoE underlying interface, use the show pppoe lockout operational command,
new in Junos OS Release 11.4, or the show pppoe underlying-interfaces operational
command, enhanced in Junos OS Release 11.4. You can also use the new clear pppoe
lockout operational command to clear the lockout condition for a specific MAC source
address on a specific underlying interface, for all MAC source addresses on a specific
underlying interface, or for all MAC source addresses on all underlying interfaces.
[Subscriber Access, Interfaces Command Reference, Ethernet Interfaces]
• Expression support for dynamic profiles (MX Series routers)—Junos OS Release 11.4supports the use of expressions for dynamic profile variables. Expressions are groups
of arithmetic operators, string operators, and operands that you can create for use as
variables within dynamic profiles.
To configure expressions, include the expression operators and operands at the [edit
dynamic-profiles profile-name variables] hierarchy level.
Table 4 on page 86 lists supported operators and functions you can use to create
expressions.
NOTE: Precedence 1 is the lowest level.
Table 4: Operators and Functions
ActionPrecedenceAssociativityOperatorOperation
Adds the elements to the right and left of theoperator together.
1Left+ArithmeticAddition
Subtracts the element to the right of theoperator from the element to the left of theoperator.
1Left-ArithmeticSubtraction
Multiplies theelement to the left of theoperatorby the element to the right of the operator.
2Left*ArithmeticMultiplication
Divides the element to the left of the operatorby the element to the right of the operator.
2Left/ArithmeticDivision
Copyright © 2011, Juniper Networks, Inc.86
Junos OS 11.4 Release Notes
Table 4: Operators and Functions (continued)
ActionPrecedenceAssociativityOperatorOperation
Divides the element to the left of the operatorby the element to the right of the operator andreturns the integer remainder. If the element tothe left of the operator is less than the elementto the right of the operator, the result is theelement to the left of the operator.
2Left%ArithmeticModulo
Creates a new string by joining the string valuesto the left of the operator and the values to theright of the operator together.
3Left##Concatenation
Takes the maximum of the two values passedas parameters.
4Leftmax(param1,param2)Maximum
Takes the minimum of the two values passedas parameters.
4Leftmin(param1,param2)Minimum
Rounds the value to the nearest integer.4-round(param1)Round
Truncates a non-integer value to the value leftof the decimal point.
4-trunc(param1)Truncate
Converts the variable inside the parentheses toa null terminated string.
4-toStr(param1)Convert to String
Converts the parameter to an integer. A singlestring or variable is allowed as a parameter.
4-toInt(param1)Convert to Integer
Generates a random numerical value.4-rand()Random
Groups operands and operators to achieveresults different from simple precedence;effectively has the highest precedence.
5-( )Parentheses
[Subscriber Access]
• L2TP LAC support for unified ISSU (MXSeries 3DUniversal Edge Routers)—UnifiedISSU for tunneled PPP clients over PPPoE is now fully supported on L2TP LACs onMX
Series routers. When a unified ISSU is initiated, the LAC completes any L2TP
negotiations that are in progress but rejects any new negotiations until the upgrade
has completed. No new tunnels or sessions are established during the upgrade.
Subscriber logouts are recorded during the upgrade and are completed after the
upgrade has completed.
L2TP LNS on MX Series routers supports only unified ISSU challenged behavior. The
upgrade is gracefully rejected and does not proceed when any LNS destination exists,
regardless of whether tunnels or sessions have been established.
Unified ISSU is not supported by L2TP on M Series routers.
[Subscriber Access, High Availability]
87Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• DHCPv6support(MXSeriesrouters)—SubscribermanagementnowsupportsDHCPv6relay. DHCPv6 relay passesmessages between aDHCPv6 client and aDHCPv6 server,
and provides the type of support within an IPv6 network that the previously supported
DHCP relay provides in an IPv4 network. DHCPv6 relay interacts with the AAA service
framework tomanage subscriber access and accounting. This interaction enables the
relay to use an external authority, such as RADIUS, to provide IPv6 prefixes, client
authentication, and configuration options.
To configure DHCPv6 relay, you use the dhcpv6 statement at the [edit
forwarding-optionsdhcp-relay] hierarchy level. Subscribermanagement also supports
new operational commands that you can use to query the system and display
information about DHCPv6 relay bindings and statistics.
Table 5 on page 88 lists the DHCPv6 relay statements and operational commands
that are introduced at the indicated hierarchy levels in Junos OS Release 11.4:
Table 5: DHCPv6 Relay Support for New Statements and OperationalCommands
Supported Hierarchy LevelStatement or Command
[edit forwarding-options dhcp-relay]dhcpv6
[edit forwarding-options dhcp-relay dhcpv6]relay-agent-interface-id
[edit forwarding-options dhcp-relay dhcpv6 authenticationusername-include]
and
[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication username-include]
• relay-agent-interface-id
• relay-agent-remote-id
• relay-agent-subscriber-id
CLI operational mode• clear dhcpv6 relay binding
• clear dhcpv6 relay statistics
• show dhcpv6 relay binding
• show dhcpv6 relay statistics
Table 6 on page 88 lists the existing statements that are now supported for DHCPv6
relay at the indicated hierarchy levels:
Table 6: DHCPv6 Relay Support for Existing Statements
Supported Hierarchy LevelStatement
[edit forwarding-options dhcp-relay dhcpv6]• active-server-group
• authentication
• dynamic-profile
• group
• overrides
• server-group
Copyright © 2011, Juniper Networks, Inc.88
Junos OS 11.4 Release Notes
Table 6: DHCPv6 Relay Support for Existing Statements (continued)
Supported Hierarchy LevelStatement
[edit forwarding-options dhcp-relay dhcpv6 authentication]
and
[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication]
• password
• username-include
[edit forwarding-options dhcp-relay dhcpv6 authenticationusername-include]
and
[edit forwarding-options dhcp-relay dhcpv6 group group-nameauthentication username-include]
• circuit-type
• delimiter
• domain-name
• logical-system-name
• routing-instance-name
• user-prefix
[edit forwarding-options dhcp-relay dhcpv6 dynamic-profile]
and
[edit forwarding-options dhcp-relay dhcpv6 group group-namedynamic-profile]
• aggregate-clients
• use-primary
[edit forwarding-options dhcp-relay dhcpv6],
[edit forwarding-options dhcp-relay dhcpv6 group group-name],
and
[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name]
• overrides
[edit forwarding-options dhcp-relay dhcpv6relay-agent-interface-id]
and
[edit forwarding-options dhcp-relay dhcpv6 group group-namerelay-agent-interface-id]
• prefix
• use-interface-description
[edit forwarding-options dhcp-relay dhcpv6 overrides],
[edit forwarding-options dhcp-relay dhcpv6 group group-nameoverrides],
and
[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name overrides]
• interface-client-limit
• no-bind-on-request
• send-release-on-delete
[edit forwarding-options dhcp-relay dhcpv6 group group-name]interface
[edit forwarding-options dhcp-relay dhcpv6 group group-nameinterface interface-name]
trace
89Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[Subscriber Access]
• Support for hierarchical CoS on interface sets of aggregated Ethernet interfaces(MX Series routers)—Enables you to apply hierarchial CoS to demux and PPPoEsubscribers configured in interface sets of aggregated Ethernet interfaces. This feature
is supported on MPC/MICmodules on MX Series routers. Youmust apply static CoS
parameters to interface sets.
You can configure the aggregated Ethernet interface with or without link protection.
In addition, you can set the distribution model of the logical interfaces within the
interface set to hash-based distribution or targeted distribution.
The linkmembership list and scheduler mode of the interface set is inherited from the
underlying aggregated Ethernet interface over which the interface set is configured.
When an aggregated Ethernet interface operates in link protection mode, or if the
scheduler mode is set tomember-link-scheduler replicate, the scheduling parameters
of the interface set are copied to each of the member links. If the scheduler mode of
theaggregatedEthernet interface is set tomember-link-scheduler scale, the scheduling
parameters are scaled based on the number of active member links and applied to
each of the aggregated interface member links.
To create an interface set, include the interface-set interface-set-name statement at
the [edit interfaces]hierarchy level or the [editdynamic-profilesprofile-name interfaces]
hierarchy level. You can add demux or PPPoE interfaces to the set by including the
interface interface-name unit logical-unit-number statement at the [edit interfaces
interface-set interface-set-name] or the [edit dynamic-profiles profile-name interfaces
interface-set interface-set-name] hierarchy level.
To apply scheduling and queuing parameters to the interface set, include the
output-traffic-control-profile profile-name statement at the [edit class-of-service
interfaces interface-set interface-set-name] hierarchy level.
[Class of Service, Subscriber Access]
• Support for dynamic profile versions (MX Series routers)—Junos OS Release 11.4provides the ability to create new versions of dynamic profiles that are currently in use
by subscribers. Any subscriber that logs in following a dynamic profile modification
uses the latest version of the dynamic profile. Subscribers that are already active
continue touse theolder versionof thedynamicprofile until they logoutor their session
terminates.
Toenable theconfigurationofdynamicprofile versions, include theversioningstatement
at the [edit system dynamic-profile-options] hierarchy level.
When creating versions of dynamic profiles, keep the following in mind:
• You can enable or disable dynamic profile versioning regardless ofwhether dynamic
profiles are configured or not.
• Each version of a dynamic profile is stored in the profile database as a new profile.
• The name of the new profile version is derived by appending a four-character tag
string to the original base dynamic profile name. This tag string contains two dollar
sign ($) characters to identify the version field of the profile name. These two
Copyright © 2011, Juniper Networks, Inc.90
Junos OS 11.4 Release Notes
characters are followed by two numerical characters that represent the version
number of the dynamic profile (for example, 01).
• Thedynamicprofile that youmodify is always storedas the latest version. Youcannot
create amodified dynamic profile and save it as an earlier version. For example, if
youmodify version three of a dynamic profile, it is saved as version four.
• You canmodify only the latest version of a dynamic profile.
• If the dynamic profile version that youmodify is not in use by any subscriber, the
profile is overwritten with committed changes without creating a new version.
• You can create amaximum of 10 versions of each dynamic profile.
• If all 10 versions of a dynamic profile already exist, any modification to the dynamic
profile results in modifying the latest version of that profile (that is, version $$10). If
this version is in use, any modification attempt fails upon commit.
• You can delete a dynamic profile only when it is not in use.
• The dynamic profile version feature supports graceful restart and unified ISSU.
The show subscriber command has been enhanced to display the dynamic profile
name and current version (when appropriate) in the Dynamic Profile Name field for
each subscriber.
[Subscriber Access]
• Subscriber secure policy support for IPv6 traffic (MX Series routers)—Subscribersecure policy nowmirrors IPv6 traffic as well as IPv4 traffic. IPv6mirroring uses the
existing statements and configuration procedures and requires no additional steps.
As in the case of IPv4mirroring, the IPv6 traffic is encapsulated in a UDP packet and
sent to the mediation device. IPv6mirroring can be based on information provided by
either RADIUS or Dynamic Tasking Control Protocol (DTCP).
[Subscriber Access]
• Duplicate RADIUS accounting reports (MX Series routers)—By default, subscribermanagementsendsRADIUSaccounting reports to theaccountingservers in thecontext
inwhich the subscriberwas last authenticated.However, in aLayer 3wholesalenetwork
solution, the wholesaler and retailer might use different RADIUS accounting servers,
andbothmightwant to receive theaccounting reports. Youcannowconfigureduplicate
account reporting, and specify that subscriber management send the same RADIUS
accounting report to both the wholesaler and the retailer accounting servers.
To configure duplicate RADIUS accounting, you include the duplication statement at
the [edit access profile profile-name accounting] hierarchy level.
[Subscriber Access]
• Centrally configured per-subscriber DHCP options (VSA 26-55) (MX Seriesrouters)—Subscriber management enables you to centrally configure DHCP optionsonaRADIUSserver anddistribute theoptionsonaper-subscriberbasis. Youuse Juniper
Networks VSA 26-55 to include the DHCP options information in the Access-Accept
91Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
message sent from the RADIUS server to the RADIUS client, and on to DHCP local
server for return to the DHCP subscriber.
The centrally configured DHCP options feature is supported for DHCP local server.
DHCP local server provides a passthrough operation, performing minimal processing
and error checking of the DHCP options string that the RADIUS server sends in VSA
26-55. Thenew featuredoesnotaffect thepreviously supported functionality, inwhich
VSA 26-55 is configured by DHCP local server or DHCP relay agent. Subscriber
management supports the previous and new functionality for both DHCPv4 and
DHCPv6.
[Subscriber Access]
• Support for concurrent IPoEDHCPandPPPoE logical interfaces on the sameVLAN(MX Series routers with MPC/MIC interfaces)—Junos OS Release 11.4 supports theconfiguration of VLAN interfaces with multiple protocol interface stacks at the same
time. This means that you can now configure both IPoE DHCP logical interfaces and
PPPoE logical interfaces concurrently over the same VLAN interface.
Configuring PPPoE concurrently with IPoE DHCP on the same VLAN interface requires
that you use the family pppoe statement at the [edit interfaces interface-name unit
logical-unit-number], [edit logical-systems logical-system-name interfaces interface-name
unit logical-unit-number], [edit dynamic-profiles profile-name interfaces demux0 unit
logical-unit-number], or [edit dynamic-profiles profile-name interfaces interface-name
unit logical-unit-number]hierarchy level. This statement is supportedonly onMXSeries
routers with MPCs. However, all features specific to DHCP and PPPoE interfaces are
supported with concurrent configuration on this platform.
[Subscriber Access]
• Support for processing DHCP information requestmessages (M120 andM320MultiserviceEdgeRouters,MXSeries3DUniversal EdgeRouters)—Bydefault, DHCPlocal server and DHCPv6 local server ignore any DHCP information request messages
that they receive. You can now override this default behavior to enable processing of
these messages. Include the process-inform statement at any of the [edit ... system
services dhcp-local-server ... overrides] or [edit ... system services dhcp-local-server
dhcpv6 ... overrides] hierarchy levels. Overriding the default behavior is appropriate
when the servers have DHCP clients with externally provided addresses; these clients
might send DHCP information request messages to the server to request further
configuration information from the server.
By default, DHCP relay and DHCP relay proxy now automatically forward DHCP
information request messages without modification as long as the messages are
received on an interface configured for a DHCP server group. DHCP relay drops
information request messages that it receives on any other interfaces. You cannot
disable this default DHCP relay and relay proxy behavior.
The information requested by these clients has typically been configured with the
dhcp-attributes statement for anaddresspool definedby theaddress-assignmentpool
pool-name statement at the [edit access] hierarchy level.
When you enable processing of DHCP information requestmessages, include the pool
pool-name statement at the [edit system services dhcp-local-server overrides
Copyright © 2011, Juniper Networks, Inc.92
Junos OS 11.4 Release Notes
process-inform] or [edit system services dhcp-local-server dhcpv6 overrides
process-inform] hierarchy level to optionally specify a pool name fromwhich the local
server retrieves the requested configuration information for the client. If you do not
specify a local pool, then the local server requests that AAA select and return only the
name of the relevant pool.
WhenDHCPv6 is configuredoverPPP interfaces, thePPPRADIUSauthenticationdata
can be used to select the pool fromwhich the response information is taken.
Additionally, other RADIUS attributes can also be inserted into the DHCPv6 reply
message. If an overlap exists between RADIUS attributes and local pool attributes,
the RADIUS values are used instead of the local configuration data. If no RADIUS
information is received from the underlying PPP interface, then the behavior is the
same as described above for non-PPP interfaces.
DHCP local server responds to the client with a DHCP ackmessage that includes the
requested information—if it is available. DHCPv6 local server responds in the same
manner but uses a DHCP reply message. No subscriber management is applied as a
result of the DHCP informmessage.
[Subscriber Access]
• Support forVLANIDasaselector for IPdemux interfaces(MXSeries routers)—JunosOS Release 11.4 supports the configuration of IP demux interfaces using VLAN IDs as
the selector. You can now configure dynamic IP demux interfaces over either static or
dynamic VLAN demux interfaces. This feature provides the following support:
• Only single and dual VLAN tag options are supported as VLAN selectors.
• Both inet and inet6 families are supported.
• All firewall and CoS features are supported.
• Both static and dynamic demux interface creation is supported, including autosense
VLAN creation.
• Both DPC and MPCmodules are supported.
For details about how to configure dynamic IP demux interfaces over static or dynamic
VLAN demux interfaces, see the Junos OS Special Document for Release 11.4 M Series,
MX Series, and T Series Routers and the Junos OS Subscriber Access Configuration Guide.
[Subscriber Access]
• Support for session and idle timeouts for L2TP tunneled subscriber sessions (MXSeries3DUniversalEdgeRouters)—Youcannowmanage the lengthofL2TPtunneledsubscriber sessions by including the client-idle-timeout statement, the
client-session-timeout statement, or both, at the [edit access profile profile-name
session-options] hierarchy level. This functionality was previously supported only for
PPP-terminated subscriber sessions.
The session timeout defines how long the subscriber session is allowed tobeupbefore
it is terminated, regardless of user activity. The idle timeout monitors the session for
upstream and downstream traffic, and terminates the session when there has been
no traffic for the specified period. These timeouts apply on a per-routing-instance
basis.
93Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
You can also configure these limits on a per-subscriber basis with RADIUS attributes
Session-Timeout [27] and Idle-Timeout [28]. The RADIUS attributes returned for a
particular subscriber override any value set by the access profile appliedwhen the user
logs in.
Issue the show subscribers detail command to display the session and idle timeouts
applied to the subscribers’ sessions.
[Subscriber Access]
• Testing L2TP tunnel configurations on an L2TP LAC (MX Series 3D Universal EdgeRouters)—You can now test L2TP tunnel configurations on an MX Series router
configured as an L2TP LAC. In earlier releases, you had to bring up a tunneled PPP
subscriber to test configurations. Now you can issue the test services l2tp tunnel
command from CLI operation mode tomap a subscriber to an L2TP tunnel, verify the
L2TP tunnel configuration (both locally on the LAC and on a back-end server such as
a RADIUS server), and verify that L2TP tunnels from the LAC can be established with
the remote LNS.
The Junos OS LAC implementation enables you to configure multiple tunnels from
whichone tunnel is chosen for tunnelingaPPPsubscriber. Youcanuse the testservices
l2tp tunnel command to test all possible tunnel configurations to verify that each can
be established. Alternatively, you can test only a specific tunnel for the subscriber.
Youmust specify a configured subscriber username when you issue the command.
The test generates a dummypassword for the subscriber, or you can optionally specify
the password. The test verifieswhether the subscriber identified by that username can
be tunneled according to the tunnel configuration. If the subscriber can be tunneled,
then the testverifieswhether theL2TPtunnel canbeestablishedwith theLNSaccording
to the L2TP configuration.
You can optionally specify a tunnel ID, in which case only that tunnel is tested; the
tunnel must be already configured for that username. If you omit this option, the test
is applied to the full set of tunnel configurations that are returned for the username.
The tunnel ID you specify is the same as that used by Tunnel-Assignment-Id (RADIUS
attribute 82) and specified by the identification statement in the tunnel profile.
[Subscriber Access, System Basics and Services Command Reference]
• Parameterized filters and policers (MX Series routers)—This feature adds the abilityto configure firewall filters and policers under a dynamic profile. The filter and policer
definition can now utilize dynamic-profile variables, which allows you to customize
your configuration at session creation time. You can configure a general filter or policer
under a dynamic profile and then provide policing rates, destination addresses, ports,
and so forth when a dynamic session is activated. To support this feature, the
service-filter-hit-exceptmatchconditionhasbeenadded to the [edit firewall]hierarchy
level. Inaddition, the [editdynamic-profileprofile-name]hierarchy level isnowsupported
for the [edit firewall] hierarchy.
[Subscriber Access, Policy Framework]
• DTCP trigger attributes and SNMP objects for subscriber secure policy trafficmirroring (MX Series routers)—A subscriber secure policy traffic mirroring sessionstarts when the router, functioning as the intercept access point, receives a DTCPADD
Copyright © 2011, Juniper Networks, Inc.94
Junos OS 11.4 Release Notes
message that contains a trigger attribute. In earlier releases, DTCP used the Interface
ID attribute to trigger traffic mirroring. Junos OS Release 11.4 introduces support for
additional DTCP attributes that trigger DTCP-initiated subscriber secure policy traffic
mirroring.
JunosOSRelease 11.4alsoprovidesadditionalSNMPtrapsupport for subscriber secure
policy, including SNMP objects to identify the subscriber and to track traffic statistics.
Table7onpage95shows theDTCPtriggerattributes, including thepreviously supported
Interface ID attribute. The attributes are listed in order of preference, from high to low.
If an ADDmessage contains multiple trigger attributes, the subscriber secure policy
uses the attribute with the highest preference and initiates the traffic mirroring
associated with that trigger attribute.
Table 7: DTCP Trigger Attributes
Description of Mirroring TriggerDTCPMessageSemantic
AttributeName
The text string of the accounting session IDassociated with the subscriber.
X-Act-Sess-IdAccountingSession ID
The text string of the calling station ID associatedwith the subscriber.
X-Call-Sta-IdCalling StationID
The IPV4 address associated with the interface forthe subscriber.
You can optionally include the X-Logical-SystemandX-Routing-Instanceattributeswith thisattribute.If neither is specified, the default logical systemandrouting instance are used.
X-IP-Addr-Unit
X-Logical-System(optional)
X-Routing-Instance(optional)
IP Address
The interface description string on which trafficmirroring is performed (for example, ge-0/0/0.1 ordemux0.107472834).
X-Interface-IdInterface ID
The text string of the NAS port ID associated withthe subscriber.
X-NAS-Port-IdNAS Port ID
The combination of the remote circuit ID and theremoteagent IDattributes,whichspecifies theDHCPOption 82 associated with the session.
X-RM-Circuit-Id
X-RM-Agent-Id
DHCP Option82
The text string of Agent Remote ID suboption forthe subscriber.
• Can be a trigger when used by itself.
• Can be used together with the Remote Circuit IDattribute to specify the DHCP Option 82 trigger.
X-RM-Agent-IdRemote AgentID
95Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
Table 7: DTCP Trigger Attributes (continued)
Description of Mirroring TriggerDTCPMessageSemantic
AttributeName
The user name for this subscriber.
You can optionally include the X-Logical-SystemandX-Routing-Instanceattributeswith thisattribute.If neither is specified, the default logical systemandrouting instance are used.
X-UserName
X-Logical-System(optional)
X-Routing-Instance(optional)
User Name
Table8onpage96shows thenewsubscriber secure policySNMPobjects and the trap
definitions for Junos OS Release 11.4.
Table 8: SNMP Trap Definitions
SNMP Trap DefinitionDescriptionNew SNMPObject
jnxJsPacketMirrorLiSubscriberLoggedIn
jnxJsPacketMirrorLiSubscriberServiceActivated
jnxJsPacketMirrorLiSubscriberLogInFailed
jnxJsPacketMirrorLiSubscriberServiceActivationFailed
Calling station ID of subscriberwhose traffic is being monitored.
jnxJsPacketMirrorCallingStationIdentifier
jnxJsPacketMirrorLiSubscriberLoggedIn
jnxJsPacketMirrorLiSubscriberServiceActivated
NAS ID of the router onwhich thetraffic is being monitored.
jnxJsPacketMirrorNasIdentifier
jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets of combinedIPv4 and IPv6 subscriber trafficreceived.
jnxJsPacketMirrorOctetsReceived
jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets of combinedIPv4 and IPv6 subscriber traffictransmitted.
jnxJsPacketMirrorOctetsTransmitted
[Subscriber Access]
• Serviceaccountingwith JSRC(M120andM320MultiserviceEdgeRouters,MXSeries3DUniversal Edge Routers)—When JSRC provisions subscriber services, you can now
also use JSRC to report accounting data for those services. You can choose service
activation/deactivationaccounting to report cumulative service session statisticswhen
a service is terminated, or interim accounting to report service session statistics at
specified intervals for the duration of the session.
When the SAE sends the Juniper-Policy-Install AVP (AVP code 2020) to specify a
service for JSRC to activate, JSRC initiates service activation/deactivation accounting
if that AVP also includes the Juniper-Acct-Collect AVP (AVP code 2054).
JSRC initiates interim accounting when the Juniper-Policy-Install AVP includes the
Acct-Interim-Interval AVP (AVP code 85). In this case, JSRC updates the accounting
values at the interval specified in the AVP— in the range 600 through 86,400 seconds.
Copyright © 2011, Juniper Networks, Inc.96
Junos OS 11.4 Release Notes
JSRC and the SAE exchange Diameter Accounting-Request (ACR) and
Accounting-Answer (ACA)messages tocommunicateaccountingdata.Bothmessages
include the Juniper-Acct-Record AVP (AVP code 2053) to identify and confirm the
service for which accounting information is requested.
JSRC can provide an accounting only of volume statistics. Youmust employ either
classic firewall filters or fast update firewall filters to collect the accounting data. To
specify JSRC accounting, include the accounting-order activation-protocol statement
at the [editaccessprofile]hierarchy level; this is the sameaccessprofile that configures
JSRC service provisioning. Alternatively, you can configure the accounting reports to
be sent by RADIUS by including instead the accounting-order radius statement at the
[edit access profile] hierarchy level.
[Subscriber Access]
• Support forcontrolling the rateof flowofRADIUSmessages(M120,M320,MXSeriesrouters)—JunosOSRelease 11.4 supports limiting the flowofRADIUS requestsbetweenthe router and configured RADIUS servers. To specify the number of RADIUS requests
per second that the router can send, collectively, to all configured RADIUS servers,
include the request-rate configuration statement at the [access profile profile-name
radius options] hierarchy level. By default, the router can send up to 500 requests per
second to theRADIUSservers.Youcanspecifyavalue from500through4000requests
per second.
Junos OS Release 11.4 also enables you to limit the maximum number of outstanding
requests from the router to a RADIUS server. To specify the maximum number of
outstanding requests from the router to a RADIUS server, include the
max-outstanding-requests configuration statement at the [accessprofileprofile-name
radius server] or [profile profile-name radius server] hierarchy level. By default, a
RADIUS server can have up to 1000 outstanding RADIUS requests. You can specify a
value from 0 through 2000 outstanding requests.
To view the current RADIUS settings, as well as the effect of the new settings on
performance, use the show network-access aaa statistics radius operational mode
command.
user@host>show network-access aaa statistics radiusOutstanding RequestsRADIUS Server Profile Configured Current Peak Exceeded12.1.11.254 pppoe-auth 111 0 1 012.1.12.254 pppoe-auth-2 0 0 0 112.1.13.254 pppoe-auth-3 64 0 10 0
To clear the RADIUS statistics for the Peak and Exceeded columns, use the clear
network-access aaa statistics radius operational mode command.
[Subscriber Access]
• Triggering ANCPOAM loopback tests (MX Series 3D Universal Edge Routers)—Youcan trigger ANCP OAM to perform a loopback test on the local loop (between the
access node and the CPE), which can aid in simple fault isolation. When using an
ATM-based local loop, the ANCP operation can trigger the access node to generate
97Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
ATM (F4/F5) loopback cells on the local loop. For an Ethernet-based local loop, ANCP
operation can trigger the access node to generate an Ethernet loopback message on
the local loop. When the test is completed, the access node sends amessage to the
router with the results.
To initiate local loop testing, youmust identify a particular loop for the test. You can
issue the request ancp oam neighbor command from CLI operation mode and identify
theaccess loopbyspecifyinganANCPneighborby IPaddressor systemname; ineither
case youmust also specify the access identifier for a subscriber on that access node.
Alternatively, youcan issue the requestancpoaminterfacecommand fromCLIoperation
mode and identify the loop by specifying an ANCP interface or set of interfaces. With
either command, you can also specify howmany times the test must be run and how
long the router waits for a response to the OAM request.
[Subscriber Access]
• Mapping ANCP attributes to vendor-specific attributes (MX Series 3D UniversalEdge Routers)—You can now configure AAA to add the
Downstream-Calculated-QoS-Rate VSA (IANA 4874, 26-141) and the
Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142) to the RADIUS
authentication and accounting request messages for subscribers. By default, these
VSAs are not present in any RADIUSmessages. To add the VSAs, include the
juniper-dsl-attributes statement at the [edit access profile profile-name radius options]
hierarchy level.
AAA provides the default recommended transmit and receive speeds in these RADIUS
messages. The default values are configured with the advisory-options statement at
the [edit protocols ancp interfaces interface-name] hierarchy level. The transmit speed
is the recommended traffic value in bits per second used for downstream traffic for
an ANCP interface, and is conveyed in the Downstream-Calculated-QoS-Rate VSA
(IANA 4874, 26–141). The receive speed is the recommended traffic value in bits per
second used for upstream traffic for an ANCP interface, and is conveyed in the
Upstream-Calculated-QoS-Rate VSA (IANA 4874, 26-142).
In contrast to the JuniperNetworksDSLVSAs, theDSLForum(RFC4679)VSA isadded
to RADIUSmessages by default. You can use the exclude dsl-forum-attributes
statement at the [edit access profile profile-name radius attributes] hierarchy level to
prevent theDSLForumVSAfrombeing included inaspecified typeofRADIUSmessage.
Similarly, you can use the exclude downstream-calculated-qos-rate and the exclude
upstream-calculated-qos-rate statements to prevent these Juniper Networks VSAs
from being included in a specified type of RADIUSmessage.
[Subscriber Access]
• Setting a recommended shaping rate for traffic on ANCP interfaces (MX Series 3DUniversal Edge Routers)—When the access node sends information about the
downstream and upstream calculated traffic rates for an interface, those values are
used to shape the traffic sent to the interface so that it matches the subscriber local
loop speed. You can now specify recommended values to be used in the event the
router does not receive this information from the access node. The configured
recommended values are used as the default values for two Juniper VSAs,
Downstream-Calculated-QoS-Rate (IANA 4874, 26-141) and
Copyright © 2011, Juniper Networks, Inc.98
Junos OS 11.4 Release Notes
Upstream-Calculated-QoS-Rate (IANA 4874, 26-142). To set the recommended
shaping rate, include the advisory-options statement at the [edit protocols ancp
interfaces interface-name] hierarchy level and specify the downstream (transmit) or
upstream (receive) traffic rate in bits per second.
[Subscriber Access]
• Improving the accuracy of the data rate reported by ANCP (MX Series 3D UniversalEdge Routers)—When a DSLAM calculates the data rate on the subscriber local loop,
it ignores the additional headers on the DSL line that are associatedwith the overhead
of the access mode (ATM or Ethernet). However, when ANCP subsequently reports
the upstream data rate or the downstream data rate, it includes the headers in its
calculation and therefore reports a slightly higher value than that calculated by the
DSLAM. This discrepancy causes the CoS shaping rate to be slightly higher than the
actual rate.
You can configure an adjustment factor that applies a percentage value to the total
downstreamandupstreamdata rates reportedbyANCP.Theadjustment factorapplies
globally for all subscribers of a particular DSL line type. The adjusted data rate results
in amore accurate CoS shaping rate that is reported to CoS and to AAAwhenever AAA
requests the data rate from ANCP. To configure the adjustment factor, include the
adjustment-factor statement at the [edit protocols ancp] hierarchy level.
[Subscriber Access]
• HTTP redirect service plugin (MX Series 3D Universal Edge Routers)—This featureadds IPv6support forHTTP redirect.Whenyouusea remote IPv6HTTP redirect server,
you can now configure an HTTP service rule to rewrite the IPv6-DA of incoming HTTP
requests on the service router. This ensures that the requests reach the remote HTTP
redirect server before being redirected to a captive portal. When you use a local HTTP
redirect server, you can configure an HTTP service rule to redirect HTTP requests to a
captive portal within a walled garden.
[Subscriber Access]
• AVP service bundle and definition (MX Series 3D Universal Edge Routers)—Thisfeature adds the Juniper-Service-Bundle AVP (AVP code 2004), which is of type
OctetString, and defines a name of the service bundle.
[Subscriber Access]
• Support for configurable RADIUS account termination reasons—Junos OS Release11.4 supports configurable mapping of protocol-specific terminate reasons to the
RADIUS Acct-Terminate-Cause attribute.
NOTE: For a list of default termination reasons, see the Junos OS SpecialDocument for Release 11.4 M Series, MX Series, and T Series Routers.
When a AAA, DHCP, L2TP, or PPP session is terminated, protocol-specific terminate
reasons (if determined) are converted to a specific termination cause, as defined by
standard RADIUS attribute 49 (Acct-Terminate-Cause). This attribute is included in
99Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
RADIUS Acct-Stopmessages and is used to to monitor and troubleshoot terminated
user sessions.
Terminate reason usage statistics are accumulated on the router. You can use the
show network-access aaa terminate-code [reverse] [(aaa | dhcp | l2tp | ppp)] [(detail |
summary|brief)]commandtodisplay informationaboutmappingsbetweenapplication
terminate reasons and RADIUS Acct-Terminate-Cause attributes. You can also use
the clear network-access aaa statistics terminate-code command to clear all terminate
mapping statistics.
Junos OS Release 11.4 also supports the option to customize mappings between a
terminate reason and a RADIUS Acct-Terminate-Cause attribute, enabling you to
providedifferent informationabout thecauseofa termination. Toconfigure customized
mappingsbetweena terminate reasonandaRADIUSAcct-Terminate-Causeattribute,
include the terminate-code (aaa | dchp | l2tp | ppp) term-reason radius term-cause
statement at the [edit access] hierarchy level.
[Subscriber Access]
• RADIUSsupport for limitingmaximumnumberofconcurrentPPPoEsessions(M120,M320, andMXSeries routers)—Enables you to override the PPPoEmaximumsession
value (configuredwith themax-sessions statement)with thePPPoEmaximumsession
value returnedby theRADIUSserver in theMax-Clients-Per-Interface JuniperNetworks
vendor-specific attribute (VSA) [26-143]. This feature is useful if youwant todetermine
the PPPoE session limit on a per-subscriber basis.
The PPPoEmaximum session value specifies the maximum number of concurrent
static or dynamic PPPoE logical interfaces (sessions) that the router can activate on
the PPPoE underlying interface, or the maximum number of active static or dynamic
PPPoE sessions that the router can establishwith a particular service entry in a PPPoE
service name table.
In earlier releases, the PPPoEmaximum session value was determined on a
per-interface basis by the number of active PPPoE sessions configured in the CLI with
themax-sessions statement. In thecurrent release, thePPPoEmaximumsession value
is determined on a per-subscriber basis by the maximum session value returned by
RADIUS in the Max-Clients-Per-Interface VSA [26-143] during the subscriber
authentication process. The Max-Clients-Per-Interface VSA returns the PPPoE
maximumsessionvalue inAccess-Acceptmessages,butnot inChangeofAuthorization
Request (CoA-Request) messages.
Copyright © 2011, Juniper Networks, Inc.100
Junos OS 11.4 Release Notes
The Max-Clients-Per-Interface VSA uses Juniper Networks vendor ID 4874, and is
defined as follows:
Dynamic CoASupportValueDescriptionAttribute Name
AttributeNumber
Nointeger: 4-octetMaximum allowable clientsessionsper interface. ForDHCPclients, this value is themaximum sessions per logicalinterface. ForPPPoEclients, thisvalue is the maximum sessions(PPPoE interfaces) per PPPoEunderlying interface.
Max-Clients-Per-Interface26-143
By default, the maximum session value returned by RADIUS in the
Max-Clients-Per-InterfaceVSAtakesprecedenceover theconfiguredPPPoEmaximum
session value; no special configuration is required on the router to use this feature.
To clear (ignore) the value returned by RADIUS in the Max-Clients-Per-Interface VSA
and restore thePPPoEmaximumsession valueon theunderlying interface to the value
configured in the CLI with themax-sessions statement, youmust include the new
max-sessions-vsa-ignore statement at any of the following hierarchy levels:
• [editdynamic-profilesprofile-name interfacesdemux0unit logical-unit-number family
pppoe]
• [editdynamic-profilesprofile-name interfaces interface-nameunit logical-unit-number
family pppoe]
• [edit interfaces interface-name unit logical-unit-number family pppoe]
• [edit interfaces interface-name unit logical-unit-number pppoe-underlying-options]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number family pppoe]
• [edit logical-systems logical-system-name interfaces interface-name unit
logical-unit-number pppoe-underlying-options]
To display information about the maximum sessions configured on the PPPoE
underlying interface, use the showpppoe underlying-interfaces operational command.
[JunosOSSubscriberAccessConfigurationGuide, JunosOS InterfacesCommandReference,
Junos OS Ethernet Interfaces Configuration Guide]
• Support for in-lineL2TPLNS(MXSeries3DUniversalEdgeRouterswithMPCs)—MXSeries routers with Trio MPCs now support L2TP LNS functionality in addition to the
L2TP LAC functionality previously supported. In earlier releases, L2TP LNS support
wasavailableonlyoncertainMSeriesMultiserviceEdgeRoutersand requiredaseparate
service PIC. The newMX Series support means that the MPCs you are already using
for other applications can now be used to provide inline L2TP LNS services.
101Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
To enable inline services on an MPC, include the inline-services statement at the [edit
chassis fpc slot-number pic number] hierarchy level. You can configure the amount of
bandwidth reserved on each Packet Forwarding Engine for tunnel traffic using inline
services with the bandwidth statement at any of the [edit chassis fpc slot-number pic
number inline-services] hierarchy level.
Inline services require that you configure a service interface—si—either statically at the
[edit interfaces] hierarchy level or with a dynamic profile.
Whenyouconfigure thepropertiesof theL2TPtunnelon theLNSwith the tunnel-group
statement at the [edit services l2tp] hierarchy level, you can include the new
aaa-access-profile statement to specify a local access profile that overrides the global
access profile for this tunnel group. You can also include the tos-reflect statement,
which causes the LNS to reflect the IP ToS value in the inner IP header to the outer IP
header.
Tomonitor LNS operations and configuration, you can issue the following existing
commandson theLNS: showservices l2tpdestination, showservices l2tpsession, show
services l2tp summary, show services l2tp tunnel, and show subscribers.
[Subscriber Access]
• Unique identifiers for firewall variables in dynamic profiles (MX Seriesrouters)—Enables the system to generate unique identifiers (UID) for parameterized
filters indynamicprofiles created for services. ThegeneratedUIDsenable you to identify
and configure separate parameter values for filters with the same variable name. In
addition, assigning a UID improves performance of the router.
For serviceprofiles, youcan request thegenerationofanUID forauser-definedvariable
by including the uid statement at the [edit dynamic-profiles profile-name variable
variable-name] hierarchy level. You then reference the variable name in the filter.
To enable selection of a particular filter in a dynamic profile that contains multiple
variables of the same parameter and criteria type, youmust indicate that the variable
refers to a UID. To configure, include the uid-reference statement at the [edit
dynamic-profiles profile-name variable variable-name] hierarchy level.
For example, if the variable $in-filter receives the value of “filter1” from RADIUS, the
filter definition named $filter is used.
[Subscriber Access]
• SNMP support for dual-stack subscriber secure policy traffic mirroring (MX Seriesrouters)—Subscriber secure policy traffic mirroring now provides dual-stack support
for DHCPandPPP subscribers. Dual-stack support enables the router to activate both
IPv4 and IPv6 traffic mirroring at different times. As part of the dual-stack
enhancements, JunosOSRelease 11.4 also includes a newSNMPobject to identify the
mirrored IPv6 traffic, and two existing SNMP objects that are modified to track IPv6
traffic statistics.
Table 9 on page 103 shows the new andmodified SNMP objects.
Copyright © 2011, Juniper Networks, Inc.102
Junos OS 11.4 Release Notes
Table 9: SNMP Trap Definitions
SNMP Trap DefinitionDescriptionNew SNMPObject
jnxJsPacketMirrorLiSubscriberLoggedIn
jnxJsPacketMirrorLiSubscriberServiceActivated
jnxJsPacketMirrorLiSubscriberServiceDeactivated
jnxJsPacketMirrorLiSubscriberLogInFailed
jnxJsPacketMirrorLiSubscriberLoggedOut
jnxJsPacketMirrorLiSubscriberServiceActivationFailed
IPv6 address of themirroredinterface.
jnxJsPacketMirrorTargetIpv6Address
jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets ofcombined IPv4 and IPv6subscriber traffic received.
jnxJsPacketMirrorOctetsReceived
jnxJsPacketMirrorLiSubscriberLoggedOutNumber of octets ofcombined IPv4 and IPv6subscriber traffictransmitted.
jnxJsPacketMirrorOctetsTransmitted
[Subscriber Access]
• Support for static and dynamic CoS and firewall filters on L2TP inline LNS serviceinterfaces (MX Series routers)—Enables you to configure static and dynamic CoSparameters for PPP sessions terminated over L2TPnetwork server (LNS) tunnels. This
feature is supported on MX Series routers with MPC/MICmodules.
Inline services at the LNS require that you configure a service interface (si) at the [edit
interfaces] hierarchy level.
Whenaservice interface is configured for anL2TPLNSsession, it hasan inner IPheader
and an outer IP header. You can configure CoS for an LNS session that corresponds
to the inner IP header because the outer IP header is used for the L2TP tunnel
processing. However, we recommend that you configure the LNS to reflect the IP ToS
value in the inner IPheader to theouter IPheaderby including the tos-reflect statement
at the [edit services l2tp] hierarchy level.
To apply per-session CoS on egress traffic from the LAC, you can configure fixed and
behavior aggregate (BA) classifiers by including the classifiers statement at the [edit
class-of-service] hierarchy level. You can then apply the classifiers at the [edit
class-of-service interfaces si-fpc/port/pic unit logical-unit-number] hierarchy level or
at the [edit dynamic-profiles profile-name class-of-service interfaces
$junos-interface-ifd-name unit $junos-interface-unit] hierarchy level. The following BA
classifier types are supported: inet-precedence, dscp, and dscp-ipv6.
To apply per-session CoS on ingress traffic to the LAC, you can configure rewrite rules,
hierarchical scheduling, and shaping adjustments. To define rewrite rules, include the
rewrite-rules statementat the [editclass-of-service]hierarchy level. Youcan thenapply
the rewrite rules at the [edit class-of-service interfaces si-fpc/port/pic unit
logical-unit-number] hierarchy level or at the [edit dynamic-profiles profile-name
103Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
class-of-service interfaces$junos-interface-ifd-nameunit$junos-interface-unit]hierarchy
level.
By default, the shaping calculation on the service interface includes the L2TP
encapsulation. If necessary, you can configure additional adjustments for downstream
ATM traffic from the LAC or differences in Layer 2 protocols. To enable hierarchical
scheduling for the service interface, include the hierarchical-scheduler statement at
the [edit interfaces si-fpc/port/pic ] hierarchy level. To enable Level 3 nodes in the LNS
scheduler hierarchy and provide better scaling, we recommend that you specify two
hierarchy levels by including themaximum-hierarchy-levels statement at the [edit
interfaces si-fpc/port/pic hierarchical-scheduler] hierarchy level.
To apply additional shaping adjustments for static LNS sessions, you can configure
theoverhead-accounting statement for the service interfaceat the [edit class-of-service
traffic-control-profiles profile-name] hierarchy level. For dynamic CoS, apply the
overhead-accounting statement for the service interface at the [edit dynamic-profiles
profile-name class-of-service traffic-control-profiles profile-name] hierarchy level.
You can then apply the traffic control profile to the service interface by including the
output-traffic-control-profile statement at the [edit class-of-service interfaces
si-fpc/port/pic unit logical-unit-number] hierarchy level or at the [edit dynamic-profiles
profile-name class-of-service interfaces $junos-interface-ifd-name unit
$junos-interface-unit] hierarchy level. To limit bandwidth for tunneled sessions with
default CoS configurations, we recommend that you also configure CoS for remaining
traffic by including theoutput-traffic-control-profile-remaining statement for the static
interface.
[Subscriber Access, Class of Service]
• DHCPv6multiple address support (MX Series routers)—Subscriber managementnow supports the assignment ofmultiple address to a DHCPv6 client. DHCPv6 clients
can request both IA_NA and IA_PD addresses in a single DHCPv6Solicitmessage. This
feature provides support for networking environments in which a customer premises
equipment (CPE) device requires a host address and a delegated prefix.
DHCPv6multiple address support is enabled by default, and is activated when the
client DHCPv6 Solicit message contains both the IA_NA and IA_PD options. The
following list describes subscriber management enhancements to support multiple
address assignment:
• For dynamic profile support, you use the new Junos OS predefined variable,
$junos-subscriber-ipv6-multi-address. The variable is applied as a demux source
address array, and is expanded to include both the host and prefix addresses. You
include the$junos-subscriber-ipv6-multi-addressvariableat the [editdynamic-profile
profile-name interfaces interface-name unit logical-unit-number family inet6
demux-source] hierarchy level. You can use this variable in place of the existing
$junos-subscriber-ipv6-address variable, which only supports a single IPv6 address
or prefix.
• You can explicitly specify which address pool the router uses to assign the IA_PD
address. This enables you to identify the address pool without using RADIUS or a
network match. To specify which address pool you want to use to assign the IA_PD
address, include the delegated-pool statement at the [edit system services
Copyright © 2011, Juniper Networks, Inc.104
Junos OS 11.4 Release Notes
dhcp-local-server dhcpv6 ... overrides] hierarchy levels. You can configure the
delegatedpool at theDHCPv6 local server global, group, or interfacehierarchy levels.
• The show dhcpv6 server binding and show subscriber commands now display
information related to the DHCPv6 IA_NA and IA_PDmultiple address assignments.
[Subscriber Access]
• Support for interface name in the authentication username—You can now include
the interface name as part of the DHCPv4 and DHCPv6 authentication username for
DHCP local server and DHCP relay agent. You can include the interface name globally
or for a specific group.
To configure the authentication interface name, include the interface-name statement
at the appropriate [edit ... authentication username-include] hierachy levels for DHCP
and DHCPv6 local server, and DHCP and DHCPv6 relay agent.
[Subscriber Access]
• Support for the calling station ID field in RADIUS packets—Starting Release 11.4,JunosOSsupports the calling station ID field inRADIUSauthenticationandaccounting
packets for sessions originating from SSH, Telnet, and FTP-based clients. The calling
station ID field contains the IP address of the host fromwhich a user connects to the
router.
Addition of the calling station ID information in the RADIUS authentication packets
enables you to configure the RADIUS server to authorize, track, and account users
based on the calling station ID information. The calling station ID field also enables
you to identify thegeographical locationsof thehost fromwhich theconnection request
originates.
[System Basics]
• Enhancements to tracing DHCP operations (M120 andM320Multiservice EdgeRouters, MX Series 3D Universal Edge Routers)—In earlier releases you configuredDHCP trace logging in only the default:default LS:RI combination; the configuration
was applied globally to all LS:RI instances. To apply DHCP trace operations to a
nondefault LS:RI combination, you were required to configure a DHCP application in
the default:default LS:RI combination.
Trace logging is now configured by default outside the scope of the DHCPapplications
(DHCP relay or DHCP local server). To apply a DHCP trace configuration across all
LS:RI combinations and all DHCP applications, include the traceoptions or
interface-traceoptions statement at the [edit systemprocessesdhcp-service]hierarchy
level.
NOTE: Configuration of event tracing on a per-LS:RI basis is still notsupported.
The existing statements at the [edit system services dhcp-local-server] and [edit
forwarding-options dhcp-relay] hierarchy levels have been deprecated and hidden in
favorof the statementsat thenew level in theCLI hierarchy. Thedeprecatedstatements
105Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
might be removed froma future release; we recommend that you transition to the new
statements.
Because a trace configuration can be configured inmore than one scope (two old and
deprecated, one new and recommended), the following rules apply to manage the
interaction:
• When you configure a filename or any other options for the trace log file, the
configuration at the [edit system processes dhcp-service] hierarchy level has the
highest precedence, followed by the configuration at the [edit system services
dhcp-local-server] hierarchy level, and finally with the lowest precedence, the
configuration at the [edit forwarding-options dhcp-relay] hierarchy level.
• The flag configuration for multiple scopes is merged and applied to all trace log
events.
• You can now filter the generation of DHCP trace log events by severity level: error,
warning, notice, info, verbose, and all. The default setting is error. However, if you
configure the old statements, trace logging operates with an implicit severity of all,
regardlessof theseverity level configuredat the [editsystemprocessesdhcp-service]
hierarchy level.
Copyright © 2011, Juniper Networks, Inc.106
Junos OS 11.4 Release Notes
The following table lists previously available traceoptions flags that have been
deprecated and the corresponding flags that now provide the same functionality.
Replacement FlagDeprecated Flag
generaldhcpv6-general
iodhcpv6-io
packetdhcpv6-packet
packetdhcpv6-packet-option
rpddhcpv6-rpd
session-dbdhcpv6-session-db
statedhcpv6-state
packetpacket-option
Finally, the layout of trace log content has been enhanced to improve readability.
[Subscriber Access]
• Support for filter Enhanced Network Servicesmode (MX Series routers withMPCs)—JunosOSRelease 11.4 supports the limitingof static service filtersorAPI-clientfilters to term-based filter formatonly for inetor inet6 familieswhenEnhancedNetwork
Servicesmode is configuredat the [edit chassisnetwork-services]hierarchy level.When
used with one of the chassis Enhanced Network Services modes, firewall filters are
generated only in term-based format for use with MPCs.
To configure a firewall filter for use with Enhanced Network Services mode, include
the enhanced-mode statement at the [edit firewall family inet filter filter-name] or [edit
firewall family inet6 filter filter-name] hierarchy level.
[Subscriber Access]
• CoS enhancements for managing bandwidth for subscriber services (MX Seriesrouters withMPC/MIC interfaces)—Enables you to prioritize andmanage bandwidthfor services more effectively at different levels of the broadband edge network. These
enhancements are supported on MPC/MICmodules on MX Series routers.
By default, MPC/MIC interfaces support scheduling of excess bandwidth for both low-
and high-priority traffic. You can now specify the specific priority of the excess
bandwidth by including the excess-rate-high [proportional value | percent value]
statement or the excess-rate-low [ proportional value | percent value ] statement at
the [edit class-of-service traffic-class-profile profile-name] hierarchy level or the [edit
dynamic-profilesprofile-nameclass-of-servicetraffic-class-profileprofile-name]hierarchy
level. Note that when you configure the excess-rate statement for an interface, you
cannot also configure the excess-rate-low and excess-rate-high statements. We
recommend that you configure either a percentage or a proportion of the excess
107Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
bandwidth for all schedulers with the same parent in the hierarchy. For example, if you
configure interface 1.1 with 20% of the excess bandwidth, configure interface 1.2 with
80% of the excess bandwidth.
On MPC/MIC interfaces, you can configure shaping of aggregate traffic at a given
priority. By default, when traffic exceeds the shaping or guaranteed rates, the system
demotes trafficwithguaranteedpriority. Youcandisablepriority demotionby including
the none option with the excess-priority statement at the [edit class-of-service
schedulers scheduler-name] hierarchy level or the [edit dynamic-profiles profile-name
class-of-service schedulers scheduler-name] hierarchy level. Traffic that exceeds the
shaping rate is dropped.
You can now configure a burst size for the shaping rate and guaranteed rate at the
traffic control profile level, as well as for the shaping rate at the scheduler level. The
burst value determines the number of rate credits that can accrue when the queue or
scheduler node is held in the inactive round robin. This feature is useful to prevent
excessive buffering at downstream DSLAMs, which typically have limited QoS and
buffering capabilities. Include the burst-size option with the shaping-rate or
guaranteed-rate statement at the [edit class-of-service traffic-control-profile
profile-name]hierarchy level or the [editdynamic-profilesprofile-nameclass-of-service
traffic-control-profile profile-name] hierarchy level. You can also include the burst-size
option with the shaping rate at the [edit class-of-service schedulers scheduler-name]
hierarchy level or the [edit dynamic-profiles profile-name class-of-service schedulers
scheduler-name] hierarchy level.
In addition, you can now configure an excess ratewhen no guaranteed rate is specified
for a scheduler hierarchy without receiving a commit error.
[Class of Service, Subscriber Access]
• Support forautomatic removalof subscriberVLANs—JunosOSRelease 11.4 supportsthe automatic removal of subscriber VLANs when no client sessions (for example,
DHCP or PPPoE) exist on the VLAN. Before Junos OS Release 11.4, you were only able
to clear or delete subscriber VLANsmanually.
To automatically remove unused dynamic subscriber VLANS, include the
remove-when-no-subscribers statement at the [edit interfaces interface-name
auto-configure] hierarchy level.
NOTE: Themaintain-subscriberstatementand remove-when-no-subscribers
statement aremutually exclusive. You cannot specify that dynamicallyconfigured VLAN interfaces are removed when no subscribers exist whenthe router is also configured tomaintain subscribers.
Whenconfiguringautomatic removal ofdynamic subscriberVLANs, keep the following
in mind:
• You can configure automatic VLAN removal only on individual physical interfaces.
You cannot configure the feature globally.
• Automatic VLAN removal is not supported for use on Layer 2Wholesale interfaces.
Copyright © 2011, Juniper Networks, Inc.108
Junos OS 11.4 Release Notes
• PPPoE subscriber interfaces require the use of dynamic profiles when configured
over dynamic VLANS. However, dynamic profiles are not required for usewith DHCP
subscriber interfaces that use underlying dynamic VLANs. Because the
remove-when-no-subscribers functionality triggerswhennodynamicclient sessions
exist on a dynamic VLAN, automatic removal of underlying dynamic VLANs is not
supportedwhen DHCP subscriber interfaces are not created using dynamic profiles.
[Subscriber Access, Network Interfaces]
• Support foraddresspool thresholdtraps(MXSeries3DUniversalEdgeRouters)—Youcan now set usage threshold traps to give advanced warning that an address pool is
running short on available addresses. To configure address pool usage threshold traps,
include the abatedUtilization utilization-value, abatedUtilization-v6 utilization-value,
higuUtilization percentage, and highUtilization-v6 percentage statements at the [edit
access address-assignment] hierarchy level.
[Subscriber Access]
• Using access profiles tomanage NAS port information (MX Seriesrouters)—Subscribermanagementusesdefault settingsandvaluesspecified inRADIUSto identify the NAS port used for subscriber authentication. The NAS-Port-Id (RADIUS
attribute 87) and NAS-Port-Type (RADIUS attribute 61) provide the NAS port
identification and type information.
You canoptionally configure access profiles to provide alternate values for theRADIUS
NAS-Port-Id and NAS-Port-Type attributes. This enables you to use access profiles
to specify the NAS port that is used for a given connection. For example, youmight
configure an access profile that specifies that a NAS port type ofwireless is used for
all Ethernet connections that are managed by that access profile.
To configure an optional NAS-Port-Id, use the nas-port-id-format statement at the
[editaccessprofileprofile-name radiusoptions]hierarchy level. TheoptionalNAS-Port-Id
can include any combination of theNAS identifier, the Agent Circuit ID (ACI), the Agent
Remote ID (ARI), and the interface description.
To configure an optional NAS-Port-Type, use the nas-port-type statement at the [edit
accessprofileprofile-name radiusoptions]hierarchy level. Theoptional port typevalues
are specified in RFC 2865 and are also described in the Junos OS Subscriber Access
Configuration Guide.
[Subscriber Access]
System Logging
• New and deprecated system log tags—The following set of system logmessages are
new in this release:
• ANALYZER—This chapter describes messages with the ANALYZER prefix on the
Juniper Networks EX Series switches. They are generated by the sample process
(sampled), which gathers information onmirrored traffic analysis for EX Series
switches.
• FABOAMD—This chapter describes messages with the FABOAMD prefix on the
Juniper Networks QFabric QFX3000 switch. They are generated by the QFabric
109Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
switch Operations, Administration, and Maintenance (OAM) process (faboamd),
which enables OAM operations (such as a fabric ping) across different devices in
the QFabric switch.
The following system logmessages are new in this release:
• ANALYZER_INPUT_INTERFACES_LIMIT
• APPIDD_APPPACK_INSTALL_RESULT
• APPIDD_INTERNAL_ERROR
• APPTRACK_SESSION_APP_UPDATE_LS
• APPTRACK_SESSION_CLOSE_LS
• APPTRACK_SESSION_CREATE_LS
• APPTRACK_SESSION_VOL_UPDATE_LS
• ASP_NAT_PORT_BLOCK_ALLOC
• ASP_NAT_PORT_BLOCK_RELEASE
• CHASSISD_ACQUIRE_MASTERSHIP
• CHASSISD_FM_ACTION_FPC_OFFLINE
• CHASSISD_FM_ACTION_FPC_ONLINE
• CHASSISD_FM_ACTION_FPC_POWER_OFF
• CHASSISD_FM_ACTION_FPC_RESTART
• CHASSISD_FM_ACTION_PLANE_OFFLINE
• CHASSISD_FM_ACTION_PLANE_ONLINE
• CHASSISD_FM_DETECT_PLANES_DOWN
• CHASSISD_FM_DETECT_UNREACHABLE
• CHASSISD_VCHASSIS_LICENSE_ERROR
• DCBX_PFC_DISABLED
• DCBX_PFC_ENABLED
• DCD_PARSE_WARN_INCOMPATIBLE_CFG
• ESWD_LEARNT_FDB_MEMORY_ERROR
• ESWD_OUT_OF_LOW_MEMORY
• ESWD_STATIC_FDB_MEMORY_WARNING
• ESWD_VLAN_MAC_LIMIT_EXCEEDED
Copyright © 2011, Juniper Networks, Inc.110
Junos OS 11.4 Release Notes
• EVENTD_SECURITY_LOG_CLEAR
• FABOAMD_DEBUGGING
• FABOAMD_TASK_SOCK_ERR
• FLOW_HIGH_WATERMARK_TRIGGERED_LS
• FLOW_IP_ACTION_LS
• FLOW_LOW_WATERMARK_TRIGGERED_LS
• FWAUTH_FTP_LONG_PASSWORD_LS
• FWAUTH_FTP_LONG_USERNAME_LS
• FWAUTH_FTP_USER_AUTH_ACCEPTED_LS
• FWAUTH_FTP_USER_AUTH_FAIL_LS
• FWAUTH_HTTP_USER_AUTH_FAIL_LS
• FWAUTH_HTTP_USER_AUTH_OK_LS
• FWAUTH_TELNET_LONG_PASSWORD_LS
• FWAUTH_TELNET_LONG_USERNAME_LS
• FWAUTH_TELNET_USER_AUTH_FAIL_LS
• FWAUTH_TELNET_USER_AUTH_OK_LS
• FWAUTH_WEBAUTH_FAIL_LS
• FWAUTH_WEBAUTH_SUCCESS_LS
• IDP_APPDDOS_APP_ATTACK_EVENT_LS
• IDP_APPDDOS_APP_STATE_EVENT_LS
• IDP_ATTACK_LOG_EVENT_LS
• IDP_SESSION_LOG_EVENT_LS
• JSRPD_SET_HW_MON_FAILURE
• JSRPD_SET_LOOPBACK_MON_FAILURE
• JSRPD_SET_MBUF_MON_FAILURE
• JSRPD_SET_NEXTHOP_MON_FAILURE
• JSRPD_UNSET_HW_MON_FAILURE
• JSRPD_UNSET_LOOPBACK_MON_FAILURE
• JSRPD_UNSET_MBUF_MON_FAILURE
111Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• JSRPD_UNSET_NEXTHOP_MON_FAILURE
• L2ALD_FREE_MAC_FAILED
• LACPD_TIMEOUT
• LICENSE_SHM_ATTACH_FAILURE
• LICENSE_SHM_CREATE_FAILURE
• LICENSE_SHM_DETACH_FAILURE
• LICENSE_SHM_FILE_OPEN_FAILURE
• LICENSE_SHM_KEY_CREATE_FAILURE
• LICENSE_SHM_SCALE_READ_FAILURE
• LICENSE_SHM_SCALE_UPDATE_FAILURE
• LSYSD_CFG_RD_FAILED
• LSYSD_INIT_FAILED
• LSYSD_SEC_NODE_COMP_SYNC_FAILED
• PKID_AFTER_KEY_GEN_SELF_TEST
• PKID_CORRUPT_CERT
• PKID_FIPS_KAT_SUCCESS
• PKID_PV_OBJECT_READ
• RPD_MPLS_REQ_BW_NOT_AVAILABLE
• RPD_PTHREAD_CREATE
• RPD_RSVP_INCORRECT_FLOWSPEC
• RPD_RT_CFG_EIBGP_VTL_CONFLICT
• RT_FLOW_SESSION_CLOSE_LS
• RT_FLOW_SESSION_CREATE_LS
• RT_FLOW_SESSION_DENY_LS
• RT_SCREEN_ICMP_LS
• RT_SCREEN_IP_LS
• RT_SCREEN_SESSION_LIMIT_LS
• RT_SCREEN_TCP_DST_IP_LS
• RT_SCREEN_TCP_LS
Copyright © 2011, Juniper Networks, Inc.112
Junos OS 11.4 Release Notes
• RT_SCREEN_TCP_SRC_IP_LS
• RT_SCREEN_UDP_LS
• RTLOG_UTP_TCP_SYN_FLOOD_LS
• SYSTEM_ABNORMAL_SHUTDOWN
• UI_AUTH_BAD_LOCATION
• UI_AUTH_BAD_TIME
• UI_CLASS_MODIFIED_USERS
• UI_CLI_IDLE_TIMEOUT
• UI_COND_GROUPS
• UI_COND_GROUPS_COMMIT
• UI_COND_GROUPS_COMMIT_ABORT
• UTMD_MAILNOTIFIER_FAILURE
• WEBFILTER_URL_REDIRECTED
The following system logmessages are no longer documented, either because they
indicate internal software errors that are not caused by configuration problems or
because they are no longer generated. If these messages appear in your log, contact
your technical support representative for assistance:
• AV_HUGE_FILE_DROPPED_MT
• AV_HUGE_FILE_NOT_SCANNED_MT
• AV_MANY_MSGS_DROPPED_MT
• AV_MANY_MSGS_NOT_SCANNED_MT
• AV_SCANNER_DROP_FILE_MT
• AV_SCANNER_ERROR_SKIPPED_MT
• AV_VIRUS_DETECTED_MT
• CHASSISD_FM_FABRIC_DOWN
• CHASSISD_FPC_FABRIC_DOWN_REBOOT
• DCD_PARSE_ERR_INCOMPATIBLE_CFG
• JSRPD_SET_IP_MON_FAILURE
• JSRPD_UNSET_IP_MON_FAILURE
• KMD_DPD_IKE_SERVER_NOT_FOUND
113Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• KMD_DPD_INVALID_ADDRESS
• KMD_DPD_INVALID_SEQUENCE_NUMBER
• KMD_DPD_NO_LOCAL_ADDRESS
• KMD_DPD_REMOTE_PEER_NOT_FOUND
• KMD_DPD_UNEXPECTED_IKE_STATUS
• KMD_PM_AUTH_ALGORITHM_INVALID
• KMD_PM_DYNAMIC_SA_INSTALL_FAILED
• KMD_PM_ENCRYPTION_INVALID
• KMD_PM_IKE_SRV_NOT_FOUND_CREATE
• KMD_PM_KEY_NOT_SUPPORTED
• KMD_PM_LIFETIME_DUPLICATE
• KMD_PM_LIFETIME_LENGTH_UNEQUA
• KMD_PM_LIFETIME_NO_DURATION
• KMD_PM_LIFETIME_TYPE_UNDEFINED
• KMD_PM_LIFETIME_UNITS_INVALID
• KMD_PM_NEW_GROUP_UNSUPPORTED
• KMD_PM_PHASE1_GROUP_UNREADABLE
• KMD_PM_PHASE1_IKE_SRV_NOT_FOUND
• KMD_PM_PHASE1_NO_IDENTITIES
• KMD_PM_PHASE1_NO_SPD_HANDLER
• KMD_PM_PHASE1_POLICY_LOOKUP_FAIL
• KMD_PM_PHASE1_POLICY_NOT_FOUND
• KMD_PM_PHASE1_PROTO_INVALID
• KMD_PM_PHASE1_PROTO_NOT_ISAKMP
• KMD_PM_PHASE1_PROTO_TWICE
• KMD_PM_PHASE1_TXFORM_INCOMPLETE
• KMD_PM_PHASE1_TXFORM_INVALID
• KMD_PM_PHASE2_IDENTITY_MISMATCH
• KMD_PM_PHASE2_NOTIF_UNKNOWN
Copyright © 2011, Juniper Networks, Inc.114
Junos OS 11.4 Release Notes
• KMD_PM_PHASE2_SELECTOR_UNDEFINED
• KMD_PM_PROPOSAL_NO_AUTH
• KMD_PM_PROPOSAL_NO_ENCRYPTION
• KMD_PM_PROPOSAL_NO_KEY_LENGTH
• KMD_PM_PROPOSAL_NULL_ESP
• KMD_PM_PROPOSAL_PROTOCOL_INVALID
• KMD_PM_PROTO_NOT_NEGOTIATED
• KMD_PM_REMOTE_PEER_INVALID
• KMD_PM_SA_DELETE_REJECT
• KMD_SNMP_IKE_SERVER_NOT_FOUND
• KMD_VPN_PV_KEY_EXCHG
• RT_GTP_BAD_LICENSE
• RT_GTP_DEL_TUNNEL_V0
• RT_GTP_DEL_TUNNEL_V1
• RT_GTP_SANITY_EXTENSION_HEADER
• RT_SIP_MEM_ALLOC_FAILED
• SSH_FIPS_SELFTEST_EXECUTED
• SSH_KEYGEN_SELFTEST_DSA
• SSH_KEYGEN_SELFTEST_RSA
• SSH_MSG_REPLAY_DETECT
• SSHD_FIPS_SELFTEST_EXECUTED
• VSYSD_INIT_FAILED
• Support for forwarding structured system logmessages to remote system logserver—The structured-data configuration statement is added at the [edit systemsyslog host] hierarchy level to enable the forwarding of system logmessages in a
structured format to a remote system log server. This statement configures the eventd
process to forward system logmessages in the IETF format, which allows
vendor-specific extensions to be included in the message in a structured way. The
system logmessages can be received on a centralized server that is capable of
accepting structuredmessages.
By default, the eventd process forwards the entire message to the remote system log
server, whenmessage forwarding is enabled. The eventd process can be enabled to
115Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
send only part of the message (strip the free-form text message). This configuration
can be set by using the brief option provided for the structured-data statement.
[System Basics]
• Support for configuringsystemlog file rotation frequency—The log-rotate-frequency
configuration statement is added at the [edit systemsyslog] hierarchy to configure the
system log file rotation frequency. The log rotation frequency is altered by configuring
the time interval atwhich the log file size is checked.When the log file size hasexceeded
the configured limit, the old log file is archived and a new log file is created. The default
log rotation frequency is 15 minutes and it can be configured for any value between 1
minute through 59minutes.
Currently, the cron process schedules the newsyslog process every 15minutes and this
value cannot be changed by administrators. If logging to log files takes place at a very
rapid rate, log files can grow in size much beyond their actual configured limit before
the newsyslog process can be scheduled to rotate the files. The log-rotate-frequency
configuration statement helps to overcome this limitation.
[System Basics]
• System logging for logical systems (M Series, MX Series, and T Series routers)—Toconfigure, include the syslog statementat the [edit logical-systems logical-system-name
system] hierarchy level. To view the system log, run the show log
logical-system-name/file-name command.
[Logical Systems]
User Interface and Configuration
• Support for the confirmed option with the commit command in the edit privatemode—In Junos OS Release 11.4 and later, you can also use the commit confirmed
command in the [edit private] configuration mode.
[CLI User Guide]
• Support for configuringaproxyserver fordownloading licenses—In JunosOSRelease11.4 and later, you can download Juniper Networks license updates using a proxy server.
In earlier releases, downloading licenseupdateswasonlypossiblebydirectly connecting
to the Juniper Networks LicenseManagement System. In an enterprise, theremight be
devices in a private network that might be restricted from connecting to the Internet
directly for security reasons.
In such scenarios, you can configure a proxy server in the private network to connect
to the LMS and downloads the license updates and have the routers or devices in the
privatenetworkconnect to theproxy server todownload the licensesor licenseupdates.
To enable this feature, configure the device with details of the proxy server at the [edit
system proxy] hierarchy level.
[System Basics]
Copyright © 2011, Juniper Networks, Inc.116
Junos OS 11.4 Release Notes
VPNs
• NTPsupport for IPv6VRF—In JunosOSRelease 11.4 and later, NTPalso supports IPv6VPN routing and forwarding (VRF) requests in addition to IPv4 VRF requests. This
enables an NTP server running on a provider edge (PE) router to respond to NTP
requests from a customer edge (CE) router. As a result, a PE router can process any
NTP request packet coming from different routing instances.
[System Basics]
• Extended Y.1731 functionality on VPLS for frame-delay and delay-variation (MXSeries routers with MPC interfaces)—MX Series routers with Modular PortConcentrators (MPCs) support Y.1731 functionality on VPLS for frame delay and delay
variation.
[VPNs, Line Card Guide]
• Extends egress protection LSP support and interoperability betweenMX SeriesDPCs andMPC/MIC interfaces (MX240, MX480, andMX960 routers)—An egressprotection LSP addresses the problemwhen a link failure occurs at the edge of the
network (for example, a link failure between a PE router and a CE device). An egress
protection LSP is anRSVP-signaled ultimate hoppopping LSP. Egress protection LSPs
do not address the problem of a node failure at the edge of the network (for example,
a failure of aPE router). StartingwithRelease 11.4, JunosOSextends support for egress
protection LSP to MPC/MIC interfaces. Egress protection LSP can now interoperate
between MX Series DPCs and MPC/MIC interfaces when both types are present on
the sameMX Series router. In previous Junos OS releases, this feature was supported
only on DPCs in MX Series routers.
[VPNs]
RelatedDocumentation
Changes in Default Behavior and Syntax, and for Future Releases in Junos OS Release
11.4 for M Series, MX Series, and T Series Routers
•
• Issues in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• ErrataandChanges inDocumentation for JunosOSRelease 11.4 forMSeries,MXSeries,
and T Series Routers on page 117
• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forMSeries,MXSeries,
and T Series Routers
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and TSeries Routers
Errata
The Junos OS Documentation for M, MX, and T Series Routers documentation index page
correctly points to the Junos 11.2 version. The Junos OS Release 11.4 version of this page
will release in a later phase of Junos OS Release 11.4.
117Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
High Availability
• TXMatrix Plus routers andT1600 routers that are configuredaspart of a routingmatrix
do not currently support nonstop active routing.
[High Availability]
Interfaces and Chassis
• The Configuring Layer 2 Circuit Transport Mode chapter in the Network Interfaces
Configuration Guide states that one way to configure an ATM II interface to enable a
Layer 2 circuit connection across all versions of Junos OS is the following:
• For Layer 2 circuit cell relay and Layer 2 trunk modes, the atm-l2circuit-mode cell
statement at the [edit chassis fpc slot pic slot] hierarchy level and the encapsulation
atm-ccc-cell-relay statement at the [edit interface interface-name] hierarchy level.
The configuration above is correct and interoperates with routers running all versions
of Junos OS.
However, the chapter does not mention that you can also include the encapsulation
atm-ccc-cell-relay statement at the [edit interface interface-name unit
logical-unit-number]hierarchy level.Whenyouuse this configuration, keep the following
points in mind:
• This configuration interoperates between Juniper Networks routers running Junos
OS Release 8.2 or earlier.
• This configuration does not interoperate with other network equipment, including a
Juniper Networks router running Junos OS Release 8.3 or later.
• For a Juniper Networks router running Junos OS Release 8.3 or later to interoperate
with another Juniper Networks router running Junos OS Release 8.2 or earlier, on the
router running Junos OS Release 8.3 or later, include the use-null-cw statement at
the [edit interfaces interface-name atm-options] hierarchy level.
• The use-null-cw statement inserts (for sending traffic) or strips (for receiving traffic)
an extra null control word in the MPLS packet.
• The use-null-cw statement is not supported on a router running Junos OS Release
8.2 or earlier.
[ATM Interfaces]
• With Junos OS Release 10.1 and later, you need not include the tunnel option or the
clear-dont-fragment-bit statementwhen configuring allow-fragmentation on a tunnel.
[Services Interfaces]
• The 10.3 through 11.1 Network Interfaces Configuration Guides and the 11.2 Ethernet
Interfaces Configuration Guide require the following corrections:
• A new fifth bullet was added to the "802.3 link aggregation" bullet list, as follows:
Multiple Juniper Networks Type 4, 100-Gigabit Ethernet PICs on a T1600 router can
be combined into a static aggregated Ethernet bundle to connect to a different type
Copyright © 2011, Juniper Networks, Inc.118
Junos OS 11.4 Release Notes
of 100 gigabit Ethernet PIC on a remote router, from Juniper Networks or other
vendors. LACP is not supported in this configuration.
• The "Ingress traffic performance" bullet was revised and now reads as follows:
Ingress traffic performance—Maximum ingress throughput is 100gigabitsper second
on the physical interface, with 50 gigabits per second on the two assigned logical
interfaces. To achieve 100 gigabits per second ingress traffic performance, use one
of the interoperability modes described below. For example, if VLAN steering mode
is not used when connecting to a remote 100 gigabits per second interface (that is
on a different 100 gigabits per secondPIC on a Juniper Networks router or a different
vendor’s equipment), then all ingress traffic will try to use one of the 50 gigabits per
second Packet Forwarding Engines, rather than be distributed among the two 50
gigabits per second Packet Forwarding Engines, resulting in a total of 50 gigabits
per second ingress performance.
[Network Interfaces, Ethernet Interfaces]
J-Web Interface
• To access the J-Web interface, your management device requires the following
software:
• Supportedbrowsers—Microsoft InternetExplorer version 7.0orMozilla Firefox version
3.0
• Language support—English-version browsers
• Supported OS—Microsoft Windows XP Service Pack 3
Layer 2 Ethernet Services
• In the Layer 2 Configuration Guide, the examples provided in the sections, Configuring
Layer 2 Protocol Tunneling, Configuring BPDU Protection on Individual Interfaces, and
Configuring BPDU Protection on All Edge Ports are incorrect for configuring layer 2
tunneling with routing instances.
Multicast
• The listings for the following RFCs incorrectly state that Junos OS supports only SSM
includemode.Both includemodeandexcludemodeare supported in JunosOSRelease
9.3 and later.
• RFC 3376, Internet Group Management Protocol, Version 3
• RFC3590,SourceAddressSelection for theMulticast ListenerDiscovery (MLD)Protocol
[Hierarchy and Standards Reference]
Routing Policy and Firewall Filters
• The DDoS Protection Operational Mode Commands in the Junos OS System Basics and
Services Command Reference Guide incorrectly cites the Junos OS System Basics
Configuration Guide for related configuration information. This information is actually
available in the Junos OS DDoS Protection Configuration Guide.
119Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[System Basics Command Reference]
• The protocols (DDoS) configuration statement topic and the show ddos-protection
protocolscommand topic erroneously list firewall-rejectasanavailableprotocol group.
The correct name for this protocol group in the CLI is reject. The protocol group is now
correctly described as Packets rejected by a next-hop forwarding decision.
[DDoS Protection]
Services Applications
• The clear services l2tp session statistics and clear services l2tp tunnel statistics topics
in the System Basics and Services Command Reference Guide for Junos OS Release
10.4 through 11.4 erroneously state that these commands are supported on MX Series
routers. In fact, this support will be added in a future release.
[System Basics and Services Command Reference]
• The rate statement for packet sampling is now configured at the [edit forwarding
options sampling input family family] hierarchy level.
[Services Interfaces]
Subscriber Access Management
• In the Configuring Per-Subscriber Session Accounting topic in the Subscriber Access
Configuration Guide, the behavior of the update-interval statement incorrectly states
that an interval of 10 through 15 minutes are rounded up to 15. The actual behavior is
that all configured values are roundedup to thenext highermultiple of 10. For example,
the values 811 through 819 are all accepted by the CLI, but are all rounded up to 820.
[Subscriber Access]
• TheDHCP inBroadbandNetworks topic erroneously states that the JunosOSsubscriber
management solution currently supports only DHCPas amultiple-client configuration
protocol. However, subscriber management solutions support DHCP and PPPoE as
multiple-client configuration protocols.
[Broadband Subscriber Management Solutions]
• The Configuring Service Packet Counting topic in the Junos OS Subscriber Access
Configuration Guide does not include the following configuration guideline. When you
specify the service-accounting action for the term, you cannot additionally configure
the count action in the same term.
[Subscriber Access]
• The table titled Supported Juniper Networks VSAs in the Juniper Networks VSAs
Supported by the AAA Service Framework topic lists RADIUS VSA 26-157
(IPv6-NdRa-Pool-Name). This VSA is not supported and should not appear in the
table.
[Subscriber Access]
• The Configuring a Dynamic Profile for Client Access topic erroneously uses the
$junos-underlying-interface variable when an IGMP interface is configured in the client
Copyright © 2011, Juniper Networks, Inc.120
Junos OS 11.4 Release Notes
access dynamic profile. The following example provides the appropriate use of the
$junos-interface-name variable:
[edit dynamic-profiles access-profile]user@host# set protocols igmp interface $junos-interface-name
• Table 25 in the Dynamic Variables Overview topic does not define the
$junos-igmp-version predefined dynamic variable. This variable is defined as follows:
$junos-igmp-version—IGMP version configured in a client access profile. Junos OS
obtains this information fromtheRADIUSserverwhenasubscriber accesses the router.
The version is applied to the accessing subscriber when the profile is instantiated. You
specify this variable at the [dynamic-profiles profile-name protocols igmp] hierarchy
level for the interface statement.
In addition, the Subscriber Access Configuration Guide erroneously specifies the use of
a colon (:)when you configure the dynamic profile to define the IGMP version for client
interfaces. The following example provides the appropriate syntax for setting the IGMP
interface to obtain the IGMP version from RADIUS:
[edit dynamic-profiles access-profile protocols igmp interface $junos-interface-name]user@host# set version $junos-igmp-version
• The Subscriber Access Configuration Guide and the System Basics Configuration Guide
contain information about the override-nas-information statement. This statement
does not appear in the CLI and is not supported.
[Subscriber Access, System Basics]
• When youmodify dynamic CoS parameters with a RADIUS change of authorization
(CoA)message, Junos OS accepts invalid configurations. For example, if you specify
a transmit rate that exceeds the allowed 100 percent, the system does not reject the
configuration and returns unexpected shaping behavior.
[Subscriber Access]
• Juniper Networks does not supportmulticast RIFmapping andANCPwhen configured
simultaneously on the same logical interface. For example, configuring amulticast
VLAN and ANCP on the same logical interface is not supported, and the subscriber
VLANs are the same for both ANCP andmulticast.
[Subscriber Access]
• TheGuidelines for ConfiguringDynamicCoS for Subscriber Access topic in theSubscriber
Access Configuration Guide erroneously states that dynamic CoS is supported for
dynamic VLANs on the Trio MPC/MIC family of products. In Junos OS Release 11.1,
dynamic CoS is supported only on static VLANs on Trio MPC/MIC interfaces.
[Subscriber Access]
• TheSubscriberAccessConfigurationGuide incorrectlydescribes theauthentication-order
statement as it is used for subscriber access management. When configuring the
authentication-order statement for subscriber access management, youmust always
specify the radiusmethod. Subscriber access management does not support the
password keyword (the default), and authentication fails when you do not specify an
authentication method.
121Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
[Subscriber Access]
• In the Subscriber Access Configuration Guide, the Juniper Networks VSAs Supported by
the AAA Service Framework table and the RADIUS-Based Mirroring Attributes table
incorrectly describe VSA 26-59. The correct description is as follows:
DescriptionAttribute NameAttribute Number
Identifier that associates mirrored traffic to a specificsubscriber.
Med-Dev-Handle26-59
[Subscriber Access]
• In the Subscriber Access Configuration Guide, the table titled "Supported Juniper
Networks VSAs" in the "Juniper Networks VSAs Supported by the AAA Service
Framework" topic lists RADIUS VSA 26-42 (Input-Gigapackets) and VSA 26-43
(Output-Gigapackets). These two VSAs are not supported.
[Subscriber Access]
• In the Junos OS Subscriber Access Configuration Guide, the "Qualifications for Change of
Authorization" section in the topic titled “RADIUS-initiated Change of Authorization
(CoA) Overview”, has been rewritten as follows to clarify how CoA uses the RADIUS
attributes and VSAs.
Copyright © 2011, Juniper Networks, Inc.122
Junos OS 11.4 Release Notes
Qualifications for Change of Authorization
To complete the change of authorization for a user, you specify identification
attributesandsessionattributes. The identificationattributes identify the subscriber.
Session attributes specify the operation (activation or deactivation) to perform on
the subscriber’s session and also include any client attributes for the session (for
example, QoS attributes). The AAAService Framework handles the actual request.
Table 10 on page 123 shows the identification attributes for CoA operations.
NOTE: Using the Acct-Session-ID attribute to identify the subscribersession is more explicit than using the User-Name attribute. When youuse the Acct-Session-ID, the attribute identifies the specific subscriberand session. When you use the User-Name as the identifier, the CoAoperation is applied to the first session that was logged in with thespecifiedusername.However, becauseasubscribermighthavemultiplesessions associated with the same username, the first sessionmightnot be the correct session for the CoA operation.
Table 10: Identification Attributes
DescriptionAttribute
Subscriber username.User-Name [RADIUS attribute 1]
Specific subscriber and session.Acct-Session-ID [RADIUS attribute 44]
Table 11 onpage 123 shows the session attributes for CoAoperations. Any additional
client attributes that you include depend on your particular session requirements.
Table 11: Session Attributes
DescriptionAttribute
Service to activate for the subscriber.Activate-Service [Juniper Networks VSA 26–65]
Service to deactivate for the subscriber.Deactivate-Service [Juniper Networks VSA26–66]
[Subscriber Access]
123Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
System Logging
• The Junos OS Release 11.2 System Log Error Messages Reference Guide does not list
the following newmessage that is now recorded in the system log, when the RSVP
fails to reserve the requested bandwidth for a label-switched path (LSP):
RPD_MPLS_REQ_BW_NOT_AVAILABLE
System Log Message: RSVP failed to set up path with the requested bandwidth on
LSP lsp-name
Description: After a successful CSPF computation, network conditions changed and
RSVP failed to set up path with the requested bandwidth and resulted in a path error.
The LSP did not come up if it happened during initial LSP establishment. Otherwise,
during an optimization or automatic bandwidth adjustment, the LSP continued to stay
up on the old path and used the previous amount of bandwidth.
Type: Event: This message reports an event, not an error
Severity: warning
Facility: LOG_DAEMON
Action: This condition ariseswhen the requested bandwidth is not available. No action
required in general, but if the LSP does not get established at the first place, youmay
want to re-optimize theLSP, change theLSPbandwidthconfiguration, oraddadditional
hardware to increase the available bandwidth.
[System Log Error Messages Reference]
User Interface and Configuration
• The show system statistics bridge command displays system statistics on MX Series
routers.
[System Basics Command Reference]
VPNs
• Junos OS Release 11.2 and earlier do not support point-to-multipoint LSPs with
next-generation multicast VPNs on MX80 routers.
[VPNs]
• InChapter 19, ConfiguringVPLSof theVPNsConfigurationGuide, an incorrect statement
that caused contradictory information about which platforms support LDP BGP
interworking has been removed. The M7i router was also omitted from the list of
supported platforms. The M7i router does support LDP BGP interworking.
[VPNs]
Copyright © 2011, Juniper Networks, Inc.124
Junos OS 11.4 Release Notes
Changes to the Junos OS Documentation Set
The following are the changes made to the Junos OS documentation set:
• A new solutions guide, Next-Generation Network Addressing CGN and IPv6 Solutions,
is available in PDF format starting in Junos OS Release 11.4B1. Full documentation will
be posted in 11.4R1. The book provides consolidated and updated information on how
to use Carrier-Grade NAT (CGN) and related IPv6 transition technologies, including
Dual-Stack Lite (DS-Lite), 6rd, and 6to4 Provider-Managed Tunnels (PMT).
• The Junos OS DDoS Protection Configuration Guide is now available at the following
URL:
http://www.juniper.net/techpubs/en_US/junos11.2/information-products/pathway-pages/
config-guide-ddos/ddos-protection.html.
• Stateless firewall filter and traffic policer documentation is no longer included in the
Junos OS Policy Framework Configuration Guide. This material is now available in the
Junos OS Firewall Filter and Policer Configuration Guide only.
• Routingpolicy, traffic sampling, forwarding, andmonitoringdocumentation is no longer
included in the Junos OS Policy Framework Configuration Guide. This material is now
available in the Junos OS Routing Policy Configuration Guide.
• Thematerial thatwas formerly covered in the JunosOSPolicy FrameworkConfiguration
GuideWeb pages is now available as three subject-basedWeb pages. You can locate
the links to the newWeb pages at the following URLs:
• Routing Policy, Traffic Sampling, Forwarding, and Monitoring
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products
/pathway-pages/config-guide-policy/config-guide-policy.html
• Stateless Firewall Filter
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products
/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html
• Traffic Policer
Configuration—http://www.juniper.net/techpubs/en_US/junos11.2/information-products
/pathway-pages/config-guide-firewall-filter/config-guide-policer.html
• The JunosOSHierarchyandStandardsReference is nowavailableas threesubject-based
Web pages. You can locate the links to the newWeb pages for the guides at the
following URLs:
• Junos OS Configuration Statements and
Commands—http://www.juniper.net/techpubs/en_US/junos11.1/information-products
/pathway-pages/reference-hierarchy/junos-configuration-hierarchies.html
• Junos OS Product and Feature
Descriptions—http://www.juniper.net/techpubs/en_US/junos11.1/information-products
/pathway-pages/reference-hierarchy/junos-product-features.html
• Standards Supported by the Junos
OS—http://www.juniper.net/techpubs/en_US/junos11.1/information-products/pathway-pages
125Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
/reference-hierarchy/junos-supported-standards.html
• The term “Multiplay” has been replaced with “Session Border Control” in the Junos OS
Release Notes.
• The Integrated Multi-Service Gateway (IMSG) pathway page now includes three
complete configuration examples:
• IMSG—Basic Configuration
• IMSG—Dual BGFs
• IMSG—Server Clusters
The configuration examples are applicable to Junos OS Release 10.2 and later.
• In Junos OS Release 10.3R1 and later, PDF files are not available for individual HTML
pages in the Junos OS documentation set. PDF files are available for the complete
Junos OS Release 10.3 configuration guides at
http://www.juniper.net/techpubs/software/junos/junos103/index.html. PDF files for the
complete hardware guides are accessible at the following URLs:
• For M Series routers:
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products
/pathway-pages/m-series/
• For MX Series routers:
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products
/pathway-pages/mx-series/
• For T Series and TXMatrix routers:
http://www.juniper.net/techpubs/en_US/release-independent/junos/information-products
/pathway-pages/t-series/
In addition, individual HTML pages have a Print link in the upper left corner of the text
area on the page.
RelatedDocumentation
New Features in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
on page 49
•
• Changes in Default Behavior and Syntax, and for Future Releases in Junos OS Release
11.4 for M Series, MX Series, and T Series Routers
• Issues in Junos OS Release 11.4 for M Series, MX Series, and T Series Routers
• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forMSeries,MXSeries,
and T Series Routers
Copyright © 2011, Juniper Networks, Inc.126
Junos OS 11.4 Release Notes
JunosOSReleaseNotesforBranchSRXSeriesServicesGatewaysandJSeriesServicesRouters
Powered by Junos OS, Juniper Networks Branch SRX Series Services Gateways provide
robust networking and security services. Branch SRX Series Services Gateways are
designed to secure enterprise infrastructure, data centers, and server farms. The Branch
SRX Series Services Gateways include the SRX100, SRX210, SRX220, SRX240, and
SRX650 devices.
Juniper Networks J Series Services Routers running JunosOS provide stable, reliable, and
efficient IP routing, WAN and LAN connectivity, andmanagement services for small to
medium-sized enterprise networks. These routers alsoprovide network security features,
including a stateful firewall with access control policies and screens to protect against
attacks and intrusions, and IPsec VPNs. The J Series Services Routers include the J2320,
J2350, J4350, and J6350 devices.
• New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
• Changes inDefault Behavior andSyntax in JunosOSRelease 11.4 for BranchSRXSeries
Services Gateways and J Series Services Routers on page 137
• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 139
• Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 162
• Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 167
• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries
Services Gateways and J Series Services Routers on page 172
• Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series
Services Gateways and J Series Services Routers on page 176
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J SeriesServices Routers
The following features have been added to Junos OS Release 11.4. Following the
description is the title of the manual or manuals to consult for further information.
NOTE: For the latest updates about support and issues on Junos Pulse, seethe Junos Pulse Release Notes athttp://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/
pathway-pages/junos-pulse/index.html
• Software Features on page 128
• Hardware Features—SRX210 Services Gateways on page 136
127Copyright © 2011, Juniper Networks, Inc.
Junos OS Release Notes for Branch SRX Series Services Gateways and J Series Services Routers
Software Features
AppSecure
• ApplicationsGroups—This feature is supportedonSRX100,SRX210,SRX220,SRX240,and SRX650 devices.
Application grouping is an enhancement to the AppSecure feature. It allows users to
group applications in policies.
Application grouping is mainly used to support:
• Customer-definedandpredefinedapplicationgroups in theapplication identification
module
• Multiple applications or groups in the application groups
• Applicationgroupsupport forapplicationfirewall (AppFW)—This feature is supportedon SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
The SRX Series devices allow configuring application firewall policies based on
individual applications. This new feature allows you to group applications and
application groups under a single name for simplified, consistent reuse when defining
application firewall policies.
[Junos OS Security Configuration Guide]
• Application signaturemanagement and usability enhancements—This feature issupported on SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
JuniperNetworksprovides improvements in theusabilityandmanagementofpredefined
application signatures available through the Junos OS application signature package
subscription service. Previously, predefined application signature updates were
downloaded to the Junos OS configuration file, resulting in an unnecessarily large file.
To improve usability, application signature updates are nowdownloaded and installed
in a separate application signature database on the SRX Series device.
UsingCLI commands, users canmanagepredefinedandcustomapplication signatures
and application signature groups, as follows:
• View detailed and summary information.
• Copy, disable, and enable predefined application signatures for maximum flexibility
in the use and reuse of predefined application signatures and custom application
signatures.
• Create custom signatures by copying a predefined signature and using it as a
template.
In addition, CLI [servicesapplication-identification] commandsprovidemoreoptions
for the display and configuration of custom application signatures and application
signature groups
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS
Security Configuration Guide]
Copyright © 2011, Juniper Networks, Inc.128
Junos OS 11.4 Release Notes
• Heuristic detection of encrypted P2P applications—This feature is supported onSRX100, SRX210, SRX220, SRX240, and SRX650 devices.
Peer-to-peer applications such as Skype contain encrypted data packets. The SRX
Seriesdevicescannot identify theencrypteddatapacketswith thecurrentapplication
signatures, which are based on regular expression patterns. Heuristics are used to
improve the detection rate. Junos OS detects encrypted peer-to-peer traffic on TCP
and UDP.
If a session cannot be identified as known encrypted peer-to-peer traffic, you can
assign it to a special application called junos:unspecified-encrypted. Application
firewall can configure a policy on this application similar to other dynamic
applications.
The edit services application-identification command has a new option,
enable-heuristics, which you use to enable detection of encrypted peer-to-peer
applications. The enable-heuristics command is off by default.
The showservicesapplication-identificationcountercommandhas twonewper-SPU
counters, Unspecified encrypted sessions and Encrypted P2P sessions.
root>show services application-identification counter
pic: 1/0Counter type ValueUnspecified encrypted sessions 10Encrypted P2P sessions 5pic: 1/1 ...
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
• IPv6 application firewall support—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices. Application firewall now supports IPv6
addressing on these SRX Series Services Gateways.
Application firewall was previously supported in the IPv4 environment. Beginning
with Junos OS Release 11.4, it is also supported on IPv6.
Juniper Networks devices provide additional security protection against known
dynamic applications that can send traffic that might not be adequately controlled
by standard network firewall policies. The application firewall functionality enforces
policesbasedon the resultsof theapplication identificationprocess.Theapplication
identification process identifies applications using pattern matching, protocol
decoding, and heuristics.
To implement application firewall support:
• Networksecuritypolicy–Modify thepolicyconfiguration tosupport theapplication
firewall rule set within the existing configuration.
• Application firewall rule set–Defineanapplication firewall rule set tobe referenced
by the network security policy.
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
129Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• Nested application identification enhancement—This feature is supported onSRX100, SRX210, SRX220, SRX240, and SRX650 devices.
New application identification contexts have been added formore extensive nested
application matching. Several new HTTP contexts have been added for application
detection:
• http-get-url-parsed-param-parsed
• http-post-url-parsed-param-parsed
• http-post-variable-parsed
• http-header-user-agent
• http-header-cookie
For encrypted HTTP sessions, the new ssl-server-name context extracts the server
name from an SSL SERVER HELLOmessage and an SSL CLIENT HELLOmessage
if they exist.
[Junos OS Security Configuration Guide ]
• Onboxapplicationtrackingstatistics—This feature is supportedonSRX100,SRX210,SRX220, SRX240, and SRX650 devices.
This feature adds application-level statistics to the AppSecure suite. Application
statistics allow an administrator to access cumulative statistics as well as statistics
accumulated over user-defined intervals. The administrator can clear the statistics
and configure the interval values.
Bytes and session count statistics are maintained. Because the statistics count
occurs at AppTrack session close event time, the byte and session counts are not
updated until the session closes.
SRX Series devices support a history of 8 intervals that an administrator can use to
display the application session and byte counts.
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
Global Policy
• Global policy.—This feature is supported on SRX100, SRX210, SRX220, SRX240, andSRX650 devices.
Unlike other security policies, global policies do not reference specific source and
destination zones (from-zoneand to-zone).Global policies allowyou to regulate traffic
with addresses and applications, regardless of their security zones. Global policies
reference user-defined addresses or the predefined address “any.” These addresses
can spanmultiple security zones.
[Junos OS Security Configuration Guide]
• Webauthentication—This feature is supportedonSRX100,SRX210,SRX220,SRX240,and SRX650 devices. Web authentication now supports IPv6 addresses..
Copyright © 2011, Juniper Networks, Inc.130
Junos OS 11.4 Release Notes
• Firewall Authentication—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 devices. Firewall authentication now supports IPv6 addresses.
Intrusion Detection and Prevention (IDP)
• IDPcontentdecompressiononHTTP—This feature is supportedonSRX100, SRX210,SRX220, SRX240, and SRX650 devices.
To avoid IDP detection evasion on the HTTP compressed content, an IDP submodule
has been added that decompresses the protocol content. The signature pattern
matching is performed on the decompressed content. The decompression feature is
disabled by default.
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
• IDP attack description—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 for both J-Web and the CLI.
The IDP attack description feature enables users to use the CLI to learn more about
IDP attack objects. Currently, users view IDP attack objects in the
/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for
users to investigate andmanage IDP attack objects. Users can quickly and easily
administer IDP attack objects when the details are displayed through the CLI.
You can use the show security idp attack description and the show security idp attack
detail operational mode commands to display details about IDP attack objects.
[Junos OS CLI Reference Guide]
J-Web
• Customer branding of firewall authentication webpage—This feature is supported
on SRX100, SRX210, SRX220, SRX240,and SRX650 devices.
JuniperNetworksenables theadministrator to replace theembedded JuniperNetworks
logo present on the firewall authentication webpage with a customer graphic. It also
provides the ability to create a different logo for different logical systems.
• IDPmonitoring—This feature is supported on SRX100, SRX210, SRX220, SRX240,SRX650, and J Series devices.
The following pages have been added to the J-Web user interface:
• Attacks Monitoring page
• Applications Monitoring page
• IDPperformance in J-Web—IDPperformance in J-Webhasbeen improved forSRX100,SRX210, SRX220, SRX240, SRX650, and all J Series devices.
• J-Web for Layer 2 transparency—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices.
The following pages have been added to the J-Web user interface:
• Configuring bridge domains
• Configuring static MAC address to Layer 2 interfaces under bridge domains
131Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• Monitoring bridge domains
• Configuring interface as family bridge
• MAC learning and limiting global MAC learning count
• Security flow bridge configurations
• J-Web DVPN pages enhancement—This feature is supported on SRX100, SRX210,SRX220, SRX240, and SRX650 devices.
The following J-Web pages have been created for dynamic VPN (DVPN) configuration
and converted to the EXTJS framework to enhance usability:
• Dynamic VPN Global Settings
• Dynamic VPN Client Edit
For configuration, you can now configure IKE and IPsec autokey for DVPN through the
Auto Tunnel > Phase I and Phase II pages.
SNMP
• Juniper Networks enterprise-specific LicenseMIB—This feature is supported onSRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices. It extends SNMP
support for licensing information.
The enterprise-specific License MIB:
• Contains information about license features and the expiration details to reduce the
burden involved in managing licenses.
• Generates traps to alert users. For example, an alert is generated when a license
expires or when the total number of users exceeds the maximum number specified
in the license.
• Provides access to license-related information through the SNMP get and get-nextoperations.
Copyright © 2011, Juniper Networks, Inc.132
Junos OS 11.4 Release Notes
[JunosOSSNMPMIBsandTrapsReference,MIBReference forBranchSRXSeriesServices
Gateways.]
Security
• EnhancedWeb Filtering—This feature is supported on SRX100, SRX210, SRX220,SRX240, and SRX650 devices.
EnhancedWeb Filtering withWebsense is an integrated URL filtering solution. When
you enable EnhancedWeb Filtering on the device, the device intercepts HTTP and
HTTPSrequestsandthensends theHTTPURLor theHTTPSsource IP to theWebsense
ThreatSeekerCloud (TSC). TheTSCcategorizes theURL intooneof over 95 categories
and also provides a site reputation. The TSC returns the URL category and the site
reputation information to thedevice. Thedevice thendetermineswhether it canpermit
or block the request based on the information provided by the TSC.
You can consider EnhancedWeb Filtering as an alternative to the existing integrated
URL filtering Surf Control Content Portal Authority (SC-CPA) solution on the SRX
Seriesdevices. JSeriesdevices, however, support only theexistingSC-CPA functionality.
NOTE: You need to install a new license on the device to upgrade to theEnhancedWeb Filtering solution.
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
• GTPIE removal—This feature is supportedonall branchSRXSeriesand JSeriesdevices.
Themultiple versions of the Third-Generation Partnership Project (3GPP) create
interoperabilityproblems in themobilenetwork. JunosOSRelease 11.4 supports removal
of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows
you to retain interoperability.
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
• Security policies for self-traffic—This feature is supported on all branch SRX Seriesand J Series devices.
Users can now configure security policies for the self-traffic (the host inbound traffic
or the host outbound traffic) of the device. The user can further apply relevant services
to the new self-traffic policy.
The security policies for the self-traffic are configured under the new default security
zone called junos-host zone.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
• InternetKeyExchange version 2 (IKEv2)—This feature is supported on all branchSRXSeries devices.
IKEv2 is the next-generation standard for secure key exchange between peer devices,
defined in RFC 4306. IKEv2 is available in Junos OS Release 11.4 for securing IPsec
traffic. The initial release does not support all the capabilities described in the RFCs.
The advantages of using version 2 over version 1 are as follows;
133Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• Simplifies the existing IKEv1
• Single RFC, including NAT-T, EAP, and remote address acquisition
• Replaces the 8 initial exchanges with a single 4-message exchange
• Reduces the latency for the IPsec SA setup and increases connection establishment
speed
• Increases robustness against DoS attack
• Improves reliability through the use of sequence numbers, acknowledgements, and
error correction
• Offers forward compatibility
• Provides simple cryptographic mechanisms
IKEv2 includes support for:
• Route-based VPN
• Site-to-site VPN
• Dead peer detection (liveness check)
• Chassis cluster
• Certificate-based authentication
• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange
• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist
without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if
the child SAs are currently active, the corresponding IKE SA will be rekeyed.
• Version 1 and version 2
[Junos OS CLI Reference Guide, Junos OS Security Configuration Guide]
UTM
• UTMsupport inchassisclusteractive/activeconfiguration—This feature is supportedon SRX100, SRX210, SRX220, SRX240, and SRX650 devices.
Previously, onlyUTMsupport for thePacketForwardingEngine inactive/backupchassis
cluster configurationsexisted.Also, both thePacket ForwardingEngineand theRouting
Engine had to be active in the same node for UTM functionality to work.
This feature introduces UTM support for active/active chassis cluster configurations
where the Packet Forwarding Engine can be active on both the cluster nodes. With
active/active chassis cluster support, Routing Engine and Packet Forwarding Engine
can be active in different nodes.
Copyright © 2011, Juniper Networks, Inc.134
Junos OS 11.4 Release Notes
NOTE: Sophos AV is not supported as part of active/active chassis clusterimplementation.
UTMsupports stateless (no state regardingUTM is syncedbetween the cluster nodes)
Packet Forwarding Engine active/active chassis cluster configurations.
With Junos OS Release 11.4, the UTM functionality is supported in both active/active
and active/backup chassis cluster configurations.
UTMwith chassis cluster supports the following failover types:
• Manual failover
• RG0 automatic failover
• RG1+ automatic failover
• Failover through flowd restart
• Failover through reboot
Chassis cluster support is enabled for the following UTM features:
• Content filtering
• URL (Web) filtering
• Antispam
• Express antivirus scanning
• Full file-based antivirus scanning
135Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
[Junos OS Security Configuration Guide, Junos OS Feature Support Reference for SRX
Series and J Series Devices]
VPN
• Site-to-site VPN support for NAT-T—This feature is supported on all branch SRXSeries devices and J Series devices.
Site-to-site IKE gateway configuration for Network Address Translation-Traversal
(NAT-T) is now supported on the server side (IKE responder). This is in addition to the
current implementation of NAT-T support for dynamic IKE gateway configuration. A
remote-identity value is used to validate apeer’s ike-idor idduringPhase 1 of IKE tunnel
negotiation.
[Junos OS Security Configuration Guide]
Virtual Private LAN Service (VPLS)
• Filtering and policing support (packet based)—This feature is supported on SRX100,SRX210, SRX220, SRX240, SRX650, and all J Series devices.
This feature permits users to configure both firewall filters and policers for virtual
private LAN service (VPLS). Firewall filters enable you to filter packets based on their
components and perform an action on packets that match the filter. Policers enable
you to limit the amount of traffic that passes into or out of an interface.
This featurecanbeenabledbyconfiguringVPLS filters, policers, andaccounting through
various CLI commands. VPLS filters and policers act on a Layer 2 frame that includes
the media access control (MAC) header (after any VLAN rewrite or other rules are
applied), but that does not include the cyclical redundancy check (CRC) field.
NOTE: You can apply VPLS filters and policers on the PE routers, only tocustomer-facing (PE-CE) interfaces.
[Junos OSMPLS Configuration Guide for Security Devices]
Hardware Features—SRX210 Services Gateways
AX411 Access Point
• AX411 Access Point management is now supported on SRX100 and SRX110 Series
devices in addition to existing support on SRX210, SRX220, SRX240, and SRX650
devices.
The AX411 Access Point provides network access for wireless clients such as laptop or
desktopcomputers, personal digital assistants (PDAs), andanyother device equipped
with aWi-Fi adapter. The AX411 Access Point supports the new IEEE 802.11n wireless
networking standard with backward compatibility for IEEE 802.11a/b/g standards.
You canmanage and configure access points from the SRX Series device through the
Junos operating system (Junos OS) command-line interface (CLI), J-Web interface,
and Network and Security Manager (NSM).
Copyright © 2011, Juniper Networks, Inc.136
Junos OS 11.4 Release Notes
3G ExpressCard Support on the SRX210 Services Gateway
• Junos OS Release 11.4 supports the SierraWireless AirCard 503 (AC503) ExpressCard
for GSM, HSPA, and UMTS networks on SRX210 devices, to provide wirelessWAN
connectivity as backup to primaryWAN links. The AC503 ExpressCard is not available
from Juniper Networks.
3G USBModemSupport on the SRX210 Services Gateway
• Junos OS Release 11.4 supports the SierraWireless USBmodem (U319, HSPA+
quad-band) on the SRX210 device (on USB port 1).
To use the 3G USBmodem on the SRX210 device:
1. Upgrade the BIOS software packaged inside the Junos OS image. For detailed
information about BIOS upgrade procedures, see the Junos OS Initial Configuration
Guide for Security Devices.
NOTE: You need the BIOS version of 2.1 or later to use the 3G USBmodems on the SRX210 device.
2. Configure theWANportusing theCLI commandsetchassis routing-engineusb-wwan
port 1 to enable the USB port to use the U319 USBmodem. See the Junos OS CLI
Reference Guide.
3. Plug the 3G USBmodem in to the appropriate USB slot (USB port 1) on the device.
NOTE: You can use the USBmodemwith a standard USB extensioncable of 1.8288meters (6 ft) or longer.
4. Reboot the device to start using the 3G USBmodem.
Changes inDefaultBehaviorandSyntax in JunosOSRelease 11.4 forBranchSRXSeriesServicesGateways and J Series Services Routers
The following current system behavior, configuration statement usage, and operational
mode command usagemight not yet be documented in the Junos OS documentation:
137Copyright © 2011, Juniper Networks, Inc.
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
Command-Line Interface (CLI)
• On SRX100, SRX110, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the
clear services flow command is not supported.
• On all branch SRX Series and J Series devices, the following commands are now
supported:
DescriptionCLI Command
List all Point-to-Point Protocol over Ethernet (PPPoE) sessions.show pppoe interfaces
Connect to all sessions that are down.request pppoe connect
Connect only to the specified session.request pppoe connect pppoe interface name
Disconnect all sessions that are up.request pppoe disconnect
Disconnectonly thespecified session, identifiedbyeither a sessionID or a PPPoE interface name.
request pppoe disconnect session id or pppoe interface name
Intrusion Detection and Prevention (IDP)
• On all branch SRX Series devices, for a dynamic attack group using the direction filter,
the expression AND should be used in the exclude values. As is the casewith all filters,
the default expression is OR. However, there is a choice of AND in the case of the
direction filter.
For example, if you want to choose all attacks with the direction client-to-server,
configure the direction filter using the set security idp dynamic-attack-groupdyn1 filters
direction values client-to-server command.
In the case of chain attacks, each of the multiple members has its own direction. If a
policy includes chain attacks, a client-to-server filter selects all chain attacks that have
any member with client-to-server as the direction. This means chain attacks that
includememberswith server-to-client or ANY as the direction are selected if the chain
has at least onemember with client-to-server as the direction.
To prevent these chain attacks from being added to the policy, configure the dynamic
group as follows:
• set security idp dynamic-attack-group dyn1 filters direction expression and
• set security idp dynamic-attack-group dyn1 filters direction values client-to-server
Copyright © 2011, Juniper Networks, Inc.138
Junos OS 11.4 Release Notes
• set security idp dynamic-attack-group dyn1 filters direction values
exclude-server-to-client
• set security idp dynamic-attack-group dyn1 filters direction values exclude-any
Multicast
• On all branch SRX Series and J Series devices, if the maximum number of leaves on a
multicast distribution tree is exceeded, multicast sessions are created up to the
maximum number of leaves, and any multicast sessions that exceed themaximum
number of leaves are ignored. In previous releases, no multicast traffic was forwarded
if the maximum number of leaves on themulticast distribution tree was exceeded.
Themaximum number of leaves on amulticast distribution tree is device specific.
Virtual Private Networks (VPNs)
• On SRX650 devices, the perfect forward secrecy setting in an IPsec policy overrides
the settings in proposal-sets in Junos OS Release 10.4 and later.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and JSeries Services Routers
AppSecure
• Junos OS application identification
When you create custom application or nested application signatures for Junos OS
application identification, the order value must be unique among all predefined and
custom application signatures. The order value determines the application matching
priority of the application signature.
The order value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
valuesbyentering the showservicesapplication-identification |displayset |matchorder
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.
• J-Web pages for AppSecure are preliminary.
• Custom application signatures and custom nested application signatures are not
currently supported by J-Web.
• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not
applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW
counters.
• AppSecure (AppTrack and AppFW) on the SRX100, SRX210, SRX220, SRX240, and
SRX650 devices is available through a controlled (EFT – Early Field Trial) release.
139Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
AX411 Access Points
• On SRX210, SRX240, and SRX650 devices, up to four access points (maximum) can
be configured andmanaged.
Chassis Cluster
• SRX100, SRX210, SRX240, and SRX650 devices have the following chassis cluster
limitations:
• Virtual Router Redundancy Protocol (VRRP) is not supported.
• In-service software upgrade (ISSU) is not supported.
• The 3G dialer interface is not supported.
• On SRX Series device failover, access points on the Layer 2 switch reboot and all
wireless clients lose connectivity for 4 to 6minutes.
• On very-high-bit-rate digital subscriber line (VDSL) mini-PIM, chassis cluster is not
supported for VDSLmode.
• Queuing on the aggregated Ethernet (ae) interface is not supported.
• Group VPN is not supported.
• Sampling features like J-FLow, packet capture, and port mirror on the reth interface
are not supported.
• Switching is not supported in chassis cluster mode for SRX100 and SRX210.
• The Chassis Cluster MIB is not supported.
• Any packet-based services like MPLS and CLNS are not supported.
• lsq-0/0/0—Link servicesMultilinkPoint-to-PointProtocol (MLPPP),Multilink Frame
Relay (MLFR), and Compressed Real-Time Transport Protocol (CRTP) are not
supported.
• lt-0/0/0—CoS for real-time performancemonitoring (RPM) is not supported.
• PP0: PPPoE, PPPoEoA is not supported.
• Packet-based forwarding forMPLSand InternationalOrganization for Standardization
(ISO) protocol familes is not supported.
• Layer 2 Ethernet switching
The factory default configuration for SRX100 devices automatically enables Layer 2
Ethernet switching. Because Layer 2 Ethernet switching is not supported in chassis
cluster mode, for these devices, if you use the factory default configuration, youmust
delete the Ethernet switching configuration before you enable chassis clustering.
Copyright © 2011, Juniper Networks, Inc.140
Junos OS 11.4 Release Notes
CAUTION: Enabling chassis clusteringwhile Ethernet switching is enabledis not a supported configuration andmight result in undesirable behaviorfrom the devices, leading to possible network instability.
The default configuration for other SRX Series devices and all J Series devices does
not automatically enable Ethernet switching. However, if you have enabled Ethernet
switching, be sure to disable it before enabling clustering on these devices too.
• Onall J Series devices, a Fast Ethernet port froma4-port Ethernet PIM cannot be used
as a fabric link port in a chassis cluster.
• On all branch SRX Series devices, only redundant Ethernet interfaces (reth) are
supported for IKE external interface configuration in IPsec VPN. Other interface types
can be configured, but IPsec VPNmight not work.
• On J Series devices, the ISDN feature on chassis cluster is not supported.
Command-Line Interface (CLI)
• On all J Series devices, RADIUS accounting is not supported.
• On SRX210 and SRX240 devices, J-Web crashes if more than nine users log in to the
device by using the CLI. The number of users allowed to access the device is limited
as follows:
• For SRX210 devices: four CLI users and three J-Web users
• For SRX240 devices: six CLI users and five J-Web users
• On J6350 devices, there is a difference in the power ratings provided by user
documentation (J Series Services Routers Hardware Guide and PIM, uPIM, and ePIM
Power and Thermal Calculator) and the power ratings displayed by CLI ( by a unit of
1). The cause of this issue is a roundoff error, where theCLI display rounds off the value
to a lower integer and the ratings provided in user documentation rounds off the value
to the higher integer. As a workaround, follow the user documentation for accurate
ratings.
DOCSISMini-PIM
• On SRX210 devices, the DOCSIS Mini-PIM delivers speeds up to amaximum of 100
Mbps throughput in each direction.
Dynamic Host Configuration Protocol (DHCP)
• SRX Series and J Series devices do not support DHCPv6 client authentication.
Dynamic VPN
SRX100, SRX210, and SRX240 devices have the following limitations:
• The IKE configuration for the Junos Pulse client does not support the hexadecimal
preshared key.
141Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• The JunosPulse client IPsecdoesnot support theAuthenticationHeader (AH)protocol
and the Encapsulating Security Payload (ESP) protocol with NULL authentication.
• When you log in through theWeb browser (instead of logging in through the Junos
Pulse client) and a new client is available, you are prompted for a client upgrade even
if the force-upgrade option is configured. Conversely, if you log in using the Junos Pulse
clientwith the force-upgradeoptionconfigured, theclientupgradeoccursautomatically
(without a prompt).
• On SRX Series devices, DH-group 14 is not supported for dynamic VPN.
• OnBranch SRX devices, when you download pulse client throughMozilla browser, you
get “Launching the VPN client” page when pulse is still downloading but when you
download the pulse client through Internet Explore “Launching the VPN Client” page
comes after pulse has been download and installed.
Flow and Processing
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, due to a limit on the
numberof largepacketbuffers, RoutingEnginebasedsamplingmight runoutofbuffers
for packet sizes greater than or equal to 1500 bytes and hence those packets will not
be sampled. You could run out of buffers when the rate of the traffic stream is high.
• OnSRX100 and SRX240 devices, the data file transfer rate formore than 20megabits
per second is reduced by 60 percent with the introduction of Junos Pulse1.0 client as
compared to the Acadia client that was used before Junos OS Release 11.1.
• OnSRX100,SRX210,SRX220,SRX240,andSRX650devices, thedefaultauthentication
table capacity is 10,000; the administrator can increase the capacity to amaximum
of 15,000.
• Onall branchSRXSeriesand JSeriesdevices,whendevicesareoperating in flowmode,
the Routing Engine side cannot detect the path maximum transmission unit (PMTU)
of an IPv6multicast address (with a large size packet).
• Onall branchSRXSeriesdevices, youcannotconfigure routepoliciesand routepatterns
in the same dial plan.
• On all branch SRX Series devices, you can configure nomore than four members in a
station group. Station groups are used for hunt groups and ring groups.
• On all J Series devices, even when forwarding options are set to drop packets for the
ISO protocol family, the device forms End System-to-Intermediate System (ES-IS)
adjacencies and transmits packets because ES-IS packets are Layer 2 terminating
packets.
• Onall branchSRXSeries and JSeriesdevices, highCPUutilization triggered for reasons
suchasCPU intensivecommandsandSNMPwalkscauses theBidirectional Forwarding
Detection protocol (BFD) to flap while processing large BGP updates.
• OnSRX210, SRX240, and J Series devices, broadcast TFTP is not supportedwhen flow
is enabled on the device.
Copyright © 2011, Juniper Networks, Inc.142
Junos OS 11.4 Release Notes
• Maximum concurrent SSH, Telnet, andWeb sessions — On SRX210, SRX240, and
SRX650 devices, the maximum number of concurrent sessions is as follows:
SRX650SRX240SRX210Sessions
553ssh
553telnet
553Web
NOTE: These defaults are provided for performance reasons.
• On SRX210 and SRX240 devices, for optimized efficiency, we recommend that you
limit use of CLI and J-Web to the numbers of sessions listed in the following table:
ConsoleJ-WebCLIDevice
133SRX210
155SRX240
• OnSRX100devices, Layer 3 control protocols (OSPF, usingmulticast destinationMAC
address) on the VLAN Layer 3 interface work only with access switch ports.
Group VPN Interoperability with Cisco’s GET VPN for Juniper Networks SecurityDevices that Support Group VPN
Cisco’s implementation of the Group Domain of Interpretation (GDOI) is called Group
Encryption Transport (GET) VPN. While group VPN in Junos OS and Cisco's GET VPN are
both based on RFC 3547, The Group Domain of Interpretation, there are some
implementation differences that you need to be aware of when deploying GDOI in a
networking environment that includes both Juniper Networks security devices and Cisco
routers. This topic discusses important items to note when using Cisco routers with GET
VPN and Juniper Networks security devices with group VPN.
Cisco GET VPNmembers and Juniper Group VPNmembers can interoperate as long as
the server role is played by a Cisco GET VPN server, Juniper Networks security devices
are groupmembers, and with the following caveats:
The group VPN in Release 11.4 of Junos OS has been tested with Cisco GET VPN servers
running Version 12.4(22)T and Version 12.4(24)T.
To avoid traffic disruption, do not enable rekey on a Cisco server when the VPN group
includes a Juniper Networks security device. The Cisco GET VPN server implements a
proprietary ACK for unicast rekey messages. If a groupmember does not respond to the
unicast rekey messages, the groupmember is removed from the group and is not able
to receive rekeys. An out-of-date key causes the remote peer to treat IPsec packets as
143Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
bad security parameter indexes (SPIs). The Juniper Networks security device can recover
from this situation by reregistering with the server to download the new key.
Antireplay must be disabled on the Cisco server when a VPN group of more than two
members includes a Juniper Networks security device. The Cisco server supports
time-basedantireplaybydefault. A JuniperNetworks security devicewill not interoperate
with a Cisco groupmember if time-based antireplay is used because the timestamp in
the IPsec packet is proprietary. Juniper Networks security devices are not able to
synchronize time with the Cisco GET VPN server and Cisco GET VPNmembers because
the sync payload is also proprietary. Counter-based antireplay can be enabled if there
are only two groupmembers.
According to Cisco documentation, the CiscoGETVPN server triggers rekeys 90 seconds
before a key expires, and the Cisco GET VPNmember triggers rekeys 60 seconds before
a key expires.When interactingwith a Cisco GETVPN server, a Juniper Networks security
device member needs to match Cisco behavior.
ACiscoGETVPNmemberacceptsall keysdownloaded fromtheGETVPNserver. Policies
associatedwith thekeysaredynamically installed.Apolicydoesnothave tobeconfigured
on a Cisco GET VPNmember locally, but a deny policy can optionally be configured to
prevent certain traffic from passing through the security policies set by the server. For
example, the server can set a policy to have traffic between subnet A and subnet B be
encrypted by key 1. Themember can set a deny policy to allow OSPF traffic between
subnet A and subnet B not to be encrypted by key 1. However, the member cannot set a
permit policy to allowmore traffic to be protected by the key. The centralized security
policy configuration does not apply to the Juniper Networks security device.
On a Juniper Networks security device, the ipsec-group-vpn configuration statement in
the permit tunnel rule in a scope policy references the group VPN. This allowsmultiple
policies referencing a VPN to share an SA. This configuration is required to interoperate
with Cisco GET VPN servers.
Logical key hierarchy (LKH), a method for adding and removing groupmembers, is not
supported with group VPN on Juniper Networks security devices.
GETVPNmemberscanbeconfigured for cooperative key servers (COOPKSs), anordered
list of servers with which the member can register or reregister. Multiple group servers
cannot be configured on group VPNmembers.
Copyright © 2011, Juniper Networks, Inc.144
Junos OS 11.4 Release Notes
Hardware
This section covers filter and policing limitations.
• On SRX650 devices, the T1/E1 GPIMs (2-port or 4-port version) do not work in Junos
OS Release 9.6R1. This issue is resolved in Junos OS Release 9.6R2 and later releases,
but if you roll back to the 9.6R1 image, this issue is still seen.
Interfaces and Routing
• DynamicVLANassignmentsandguestVLANsarenotsupportedonJSeriesandSRX100
devices.
• On SRX650 devices, the ethernet switching is not supported on Gigabit Ethernet
interfaces (ge-0/0/0 through ge-0/0/3 ports).
• The SRX210, SRX220, SRX240, and SRX650 devices cannot send logs to the NSM
when logging is configured in the streammode. This is because, the security log does
not support configuring of the source IP address for the fxp0 interface and the security
log destination in streammode cannot be routed through the fxp0 interface. This
implies that you cannot configure the security log server in the same subnet as the
fxp0 interface and the route the log server through the fxp0 interface.
• On all branch SRX Series devices, the number of child interfaces per node is restricted
to 4 on the reth interface and the number of child interfaces per reth interface is
restricted to 8.
• On SRX240HighMemory devices, traffic might stop between the SRX240 device and
the Cisco switch due to link modemismatch. We recommend setting autonegotiation
parameters on both ends to the same value.
• On SRX240HighMemory devices, traffic might stop between the SRX240 device and
Cisco switch due to link modemismatch. We recommend setting autonegotiation
parameters on both ends to the same value.
• On SRX100 devices, the link goes down when you upgrade FPGA on 1xGE SFP. As a
workaround, run the restart fpc command and restart the FPC.
• OnSRX210deviceswithVDLS2, ATMCOSVBR-related functionality cannot be tested.
• On SRX210 devices, Internet Group Management Protocol version 2 (IGMPv2) JOINS
messages are dropped on an integrated routing and bridging (IRB) interface. As a
workaround, enable IGMP snooping to use IGMP over IRB interfaces.
• On J Series devices, the DS3 interface does not have an option to configure
multilink-frame-relay-uni-nni (MFR).
• On SRX210, SRX220, and SRX240 devices, every time the VDSL2 PIM is restarted in
the asymmetric digital subscriber line (ADSL) mode, the first packet passing through
the PIM is dropped.
• On SRX240 LowMemory devices and SRX240 High Memory devices, the RPM server
operation does not work when the probe is configured with the option
destination-interface.
145Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• OnJSeriesdevices routedports, LinkLayerDiscoveryProtocol (LLDP) isnot supported.
• In J Series xDSL PIMs, mapping between IP CoS and ATM CoS is not supported. If the
user configures IP CoS in conjunction with ATM CoS, the logical interface level shaper
matching the ATM CoS rate must be configured to avoid congestion drops in
segmentation and reassembly (SAR).
Example:
set interfaces at-5/0/0 unit 0 vci 1.110
set interfaces at-5/0/0 unit 0 shaping cbr 62400 ATMCOS
set class-of-service interfaces at-5/0/0 unit 0 scheduler-map sche_map IP COS
set class-of-service interfaces at-5/0/0 unit 0 shaping-rate 62400 ADD IFL SHAPER
• OnSRX210, SRX220, and SRX240 devices, 1-port Gigabit Ethernet SFPmini-PIM does
not support switching in Junos OS Release 11.4.
• On SRX650 devices, MAC pause frame and frame check sequence (FCS) error frame
counters are not supported for the interfaces ge-0/0/0 through ge-0/0/3.
• On SRX240 and SRX650 devices, the VLAN range from 3967 to 4094 falls under the
reserved VLAN address range, and the user is not allowed any configured VLANs from
this range.
• On SRX650 devices, the last four ports of a 24-Gigabit Ethernet switch GPIM can be
used either as RJ-45 or SFP ports. If both are present and providing power, the SFP
media is preferred. If the SFPmedia is removed or the link is brought down, then the
interfacewill switch to theRJ-45medium. This can take up to 15 seconds, duringwhich
the LED for the RJ-45 portmight go on and off intermittently. Similarly, when theRJ-45
medium isactiveandanasmall form-factor pluggable transceiver (SFP) link is brought
up, the interface will transition to the SFPmedium, and this transition could also take
a few seconds.
• On SRX210 devices, the USBmodem interface can handle bidirectional traffic of up
to 19 Kbps. On oversubscription of this amount (that is, bidirectional traffic of 20 Kbps
or above), keepalives do not get exchanged, and the interface goes down.
• On SRX100, SRX210, SRX240, and SRX650 devices, on the Layer 3 ae interface, the
following features are not supported:
• Encapsulations(suchasCCC,VLANCCC,VPLS,andPPPOE)onLayer3ae interfaces
• J-Web
• Layer 3 ae for 10-Gigabit Ethernet
• On SRX100 devices, the multicast data traffic is not supported on IRB interfaces.
• On SRX240 High Memory devices, when the system login deny-sources statement is
used to restrict the access, it blocks a remote copy (rcp) between nodes, which is used
to copy the configuration during the commit routine. Use a firewall filter on the lo0.0
interface to restrict the Routing Engin access, However if you choose to use the system
login deny-sources statement, check the private addresses that were automatically
on lo0.x and sp-0/0/0.x and exclude them from the denied list.
Copyright © 2011, Juniper Networks, Inc.146
Junos OS 11.4 Release Notes
Internet Key Exchange Version 2 (IKEv2)
On all branch SRX Series devices, IKEv2 does not include support for:
• Policy-based tunnels
• Dial-up tunnels
• Network Address Translation-Traversal (NAT-T)
• VPNmonitoring
• Next-Hop Tunnel Binding (NHTB) for st0—Reusing the same tunnel interface for
multiple tunnels
• Extensible Authentication Protocol (EAP)
• IPv6
• Multiple child SAs for the same traffic selectors for each QoS value
• Proposal enhancement features
• Reuse of Diffie-Hellman (DH) exponentials
• Configuration payloads
• IP Payload Compression Protocol (IPComp)
• Dynamic Endpoint (DEP)
Intrusion Detection and Prevention (IDP)
• On SRX Series and J Series devices, from Junos OS Release 11.4 onwards, IDP security
package is based on the Berkeley database. Hence, when the Junos OS image is
upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2 or later, a migration of
IDPsecuritypackage filesneeds tobeperformed.This isdoneautomatically onupgrade
when the IDPdaemoncomesup. Similarly,when the image is downgraded, amigration
(sec Db install) is automatically performed when the IDP daemon comes up and
previously installed database files get deleted. However, migration is dependent on
the XML files for the installed database to be present on the device. For first-time
installation, full update files are required. If the last update on the device was an
incremental update,migrationmight fail. In suchacase, youhave tomanuallydownload
and install the IDP security packageusing thedownloador install CLI commandbefore
using the IDP configuration with predefined attacks or groups.
Workaround: Use the CLI command request security idp security-package download
full-update to manually download the individual components of the security package
from the Juniper Security Engineering portal before upgrading or downgrading the
image in the previous case.
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the request services
application-identification uninstall command will uninstall all predefined signatures.
• On all branch SRX Series devices, IDP does not allow header checks for nonpacket
contexts.
147Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• OnSRX100,SRX210,SRX220,SRX240,andSRX650devices, themaximumsupported
number of entries in the ASC table for is 100,000 entries. However, because the user
land buffer has a fixed size of 1 MB as a limitation, it displays a maximum of 38,837
cache entries.
• On SRX100, SRX210, SRX240, and SRX650 devices, policy compilation takes a long
time because:
• Software DFA is now used for attack signature compilation.
• The IDPD daemon gets a smaller CPU time slice during compilation.
• Themaximumnumber of IDP sessions supported is 16,384 onSRX210 devices, 32,768
on SRX240 devices, and 13,1072 on SRX650 devices.
• On all SRX Series devices, all IDP policy templates are supported except All Attacks.
There is a 100-MB policy size limit for integratedmode and a 150-MB policy size limit
for dedicatedmode. The current IDP policy templates supported are dynamic, based
on the attack signatures being added. Therefore, be aware that supported templates
might eventually grow past the policy-size limit.
On all SRX Series devices, the following IDP policies are supported:
• DMZ_Services
• DNS_Service
• File_Server
• Getting_Started
• IDP_Default
• Recommended
• Web_Server
• Onall branchSRXSeriesdevices, IDPdeployed inbothactive/activeandactive/passive
chassis clusters has the following limitations:
• No inspection of sessions that fail over or fail back.
• The IP action table is not synchronized across nodes.
• TheRouting Engine on the secondary nodemight not be able to reach networks that
are reachable only through a Packet Forwarding Engine.
• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses
a session ID and it happens to be processed on a node other than the one on which
the session ID is cached, the SSL session cannot be decrypted andwill be bypassed
for IDP inspection.
• On all branch SRX Series devices, IDP deployed in active/active chassis clusters has
a limitation that for time-binding scope source traffic, if attacks from a source (with
more than one destination) have active sessions distributed across nodes, then the
attack might not be detected because time-binding counting has a local-node-only
Copyright © 2011, Juniper Networks, Inc.148
Junos OS 11.4 Release Notes
view. Detecting this sort of attack requires an RTO synchronization of the time-binding
state that is not currently supported.
NOTE: On SRX100 devices, IDP high availability (HA) is supported inactive/backupmode.
• OnSRX100, SRX210, SRX220, SRX240, andSRX650devices, the IDP policies for each
user logical system are compiled together and stored on the data planememory. To
estimate adequate data planememory for a configuration, consider these two factors:
• IDP policies applied to each user logical system are considered unique instances
because the ID and zones for each user logical system are different. Estimates need
to take intoaccount the combinedmemory requirements for all user logical systems.
• As the application database increases, compiled policies will require morememory.
Memory usage should be kept below the available data planememory to allow for
database increases.
IPv6 IPsec
The IPv6 IPsec implementation has the following limitations:
• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path
maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6
minimumMTU size of 1280 bytes.
• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are
32-bits long, IPv6 IPsec packet processing requiresmore resources. Therefore, a small
performance degradation is observed.
• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel
scalability numbers might drop.
• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel
throughput performance.
• The IPv6 IPsec VPN does not support the following functions:
• 4in6 and 6in4 policy-based site-to-site VPN, IKE
• 4in6 and 6in4 route-based site-to-site VPN, IKE
• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key
• 4in6 and 6in4 route-based site-to-site VPN, Manual Key
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
• RemoteAccess—XAuth, configmode, andshared IKE identitywithmandatoryXAuth
• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)
149Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• IKE peer type—Dynamic IP
• Chassis cluster for basic VPN features
• IKE authentication—PKI/RSA
• Network Address Translation-Traversal (NAT-T)
• VPNmonitoring
• Hub-and-spoke VPNs
• Next Hop Tunnel Binding Table (NHTB)
• Dead Peer Detection (DPD)
• Simple Network Management Protocol (SNMP) for IPsec VPNMIBs
• Chassis cluster for advanced VPN features
• IPv6 link-local address
Layer 2 Transparent Mode
• DHCP server propagation is not supported in Layer 2 transparent mode.
IPv6 Support
• NSM—Consult the Network and Security Manager (NSM) release notes for versioncompatibility, requiredschemaupdates, platform limitations, andother specificdetails
regarding NSM support for IPv6 addressing on SRX Series and J Series devices.
J-Web
• J-Web browser support for Dell PowerConnect and SRX Series devices—To accessJ-Web for all platforms, your device requires the following supported browsers and
OS:
• Browser: Microsoft Internet Explorer version 7.0, and Mozilla Firefox version above
3.0 and below 3.5.
NOTE: Other browser versionsmight not provide access to J-Web andonly English-version browsers are supported.
• OS: Microsoft Windows XP Service Pack 3
• SRX Series and J Series browser compatibility
• To access the J-Web interface, your management device requires the following
software:
• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox
version 3.0
Copyright © 2011, Juniper Networks, Inc.150
Junos OS 11.4 Release Notes
• Language support—English-version browsers
• Supported OS—Microsoft Windows XP Service Pack 3
• If the device is running the worldwide version of the Junos OS and you are using the
Microsoft Internet Explorer Web browser, youmust disable the Use SSL 3.0 option
in theWeb browser to access the device.
• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript
and AJAX (Version 9)must be installed. Also note that the Chassis View is displayed
by default on the Dashboard page. You can enable or disable it using options in the
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also
causes the Chassis View to be displayed.
• Onall branchSRXSeriesdevices, in the J-Web interface, there isnosupport for changing
the T1 interface to an E1 interface or vice versa. As aworkaround, use the CLI to convert
from T1 to E1 and vice versa.
• On SRX Series and J Series devices, users cannot differentiate between Active and
Inactiveconfigurationson theSystem Identity,ManagementAccess,UserManagement,
and Date & Time pages.
• OnSRX210devices, there is nomaximumlengthwhen theuser commits thehostname
inCLImode; however, only58characters,maximum,aredisplayed in the J-WebSystem
Identification panel.
• On all J Series devices, some J-Web pages for new features (for example, the Quick
Configuration page for the switching features on J Series devices) display content in
one or more modal pop-up windows. In the modal pop-up windows, you can interact
only with the content in the window and not with the rest of the J-Web page. As a
result, online Help is not available whenmodal pop-up windows are displayed. You
can access the online Help for a feature only by clicking theHelp button on a J-Webpage.
• On all branch SRXSeries devices, you cannot use J-Web to configure a VLAN interface
for an IKE gateway. VLAN interfaces are not currently supported for use as IKE external
interfaces.
Network Address Translation (NAT)
• Maximumcapacities for sourcepoolsand IPaddresseshavebeenextendedonSRX650
devices, as follows:
Source NATrules numberPatPortNumber
PATMaximumAddressCapacity
Source NATPoolsDevices
102464M10241024SRX650 (HighMemory)
102416M256256SRX650 (LowMemory)
151Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
Increasing the capacity of source NAT pools consumesmemory needed for port
allocation.WhensourceNATpooland IPaddress limitsare reached,port rangesshould
be reassigned. That is, the number of ports for each IP address should be decreased
when the number of IP addresses and sourceNATpools is increased. This ensuresNAT
does not consume toomuchmemory. Use the port-range statement in configuration
mode in the CLI to assign a new port range or the pool-default-port-range statement
to override the specified default.
Configuring port overloading should also be done carefully when source NAT pools
are increased.
For source pool with port address translation (PAT) in range (64,510 through 65,533),
two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,
and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports
(64,512 through 65,535) for Application Layer Gateway (ALG)module use.
• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edgeof the carrier network, the device-wide NAT rule capacity has been changed.
The number of destination and static NAT rules has been incremented as shown in
Table 12 on page 152. The limitation on the number of destination-rule-set and
static-rule-set has been increased.
Table 12 onpage 152provides the requirementsper device to increase the configuration
limitation as well as to scale the capacity for each device.
Table 12: Number of Rules on SRX Series and J Series Devices
J SeriesSRX650SRX240SRX210SRX100NAT Rule Type
51210241024512512Source NAT rule
51210241024512512Destination NATrule
51261441024512512Static NAT rule
The restriction on the number of rules per rule set has been increased so that there is
only a device-wide limitation on howmany rules a device can support. This restriction
is provided to help you better plan and configure the NAT rules for the device.
Power over Ethernet (PoE)
• On SRX210-PoE devices, SDK packages might not work.
Security
• J Series devices do not support the authentication order password radius or password
ldap in the edit accessprofileprofile-nameauthentication-order command. Instead, use
order radius password or ldap password.
Copyright © 2011, Juniper Networks, Inc.152
Junos OS 11.4 Release Notes
• Onall branchSRXSeriesand JSeriesdevices, the limitationon thenumberofaddresses
in an address-set has been increased. The number of addresses in an address-set now
dependson thedeviceand is equal to thenumberof addresses supportedby thepolicy.
Table 13: Number of Addresses in an address-set on SRX Series and JSeries Devices
address-setDevice
1024Default
1024SRX100 High Memory
512SRX100 LowMemory
1024SRX210 High Memory
512SRX210 LowMemory
1024SRX240 High Memory
512SRX240 LowMemory
1024SRX650
1024J Series
Simple Network Management Protocol (SNMP)
• On J Series devices, the SNMP NAT-related MIB is not supported in Junos OS Release
11.4.
Switching
• Layer 2 transparentmode support—On SRX100, SRX210, SRX220, SRX240, andSRX650 devices, the following features are not supported for Layer 2 transparent
mode:
• Gratuitious Address Resolution Protocol (GARP) on the Layer 2 interface
• Spanning Tree Protocol (STP)
• IP address monitoring on any interface
• Transit traffic through integrated routing and bridging (IRB)
• IRB interface in a routing instance
• Chassis clustering
• IRB interface handling of Layer 3 traffic
153Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
NOTE: The IRB interface is a pseudointerface and does not belong tothe reth interface and redundancy group.
• On SRX100, SRX210, SRX240, and SRX650 devices, Change of Authorization is not
supported with 802.1x.
• OnSRX100, SRX210, SRX240, andSRX650devices, on the routedVLAN interface, the
following features are not supported:
• IPv6 (family inet6)
• ISIS (family ISO)
• Class of service
• Encapsulations (Ether circuit cross-connect [CCC], VLAN CCC, VPLS, PPPoE, and
so on) on VLAN interfaces
• CLNS
• Protocol Independent Multicast (PIM)
• Distance Vector Multicast Routing Protocol (DVMRP)
• VLAN interface MAC change
• Gratuitous Address Resolution Protocol (ARP)
• Change VLAN-Id for VLAN interface
Unified Threat Management (UTM)
• On all J Series devices, UTM requires 1 GB of memory. If your J2320, J2350, or J4350
device has only 512 MB ofmemory, youmust upgrade thememory to 1 GB to run UTM.
Upgrade and Downgrade
• On J Series devices, the Junos OS upgrademight fail due to insufficient disk space if
the CompactFlash is smaller than 1-GB in size. We recommend using a 1-GB
CompactFlash for Junos OS Release 10.0 and later.
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you connect a
client running Junos Pulse 1.0 to an SRX Series device that is a running a later version
of Junos Pulse, the client will not be upgraded automatically to the later version. You
must uninstall Junos Pulse1.0 from the client and then download the later version of
Junos Pulse from the SRX Series device.
Copyright © 2011, Juniper Networks, Inc.154
Junos OS 11.4 Release Notes
Virtual Private Networks (VPNs)
• On SRX100, SRX210, SRX240, and SRX650 devices, while configuring dynamic VPN
using the JunosPulse client, when you select the authentication-algorithmas sha-256
in the IKE proposal, the IPsec session might not get established.
Unsupported CLI for Branch SRX Series Services Gateways and J Series ServicesRouters
Accounting-Options Hierarchy
• OnSRX100,SRX210,SRX220,SRX240,SRX650,andall JSeriesdevices, theaccounting,
source-class, and destination-class statements in the [accounting-options] hierarchy
level are not supported.
AX411 Access Point Hierarchy
• On SRX100 devices, there are CLI commands for wireless LAN configurations related
to the AX411 Access Point. However, at this time, the SRX100 devices do not support
the AX411 Access Point.
Chassis Hierarchy
• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following
chassis hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set chassis craft-lockout
set chassis routing-engine on-disk-failure
Class-of-Service Hierarchy
• On SRX100, SRX210, SRX220, SRX240, SRX650, and J Series devices, the following
class-of-service hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set class-of-service classifiers ieee-802.1ad
set class-of-service interfaces interface-name unit 0 adaptive-shaper
Ethernet-Switching Hierarchy
• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following
Ethernet-switching hierarchy CLI commands are not supported. However, if you enter
these commands in the CLI editor, they appear to succeed and do not display an error
message.
set ethernet-switching-options bpdu-block disable-timeout
155Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
set ethernet-switching-options bpdu-block interface
set ethernet-switching-options mac-notification
set ethernet-switching-options voip interface access-ports
set ethernet-switching-options voip interface ge-0/0/0.0 forwarding-class
Firewall Hierarchy
• OnSRX100, SRX210, SRX220, SRX240SRX650, and all J Series devices, the following
Firewall hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set firewall family vpls filter
set firewall family mpls dialer-filter d1 term
Interfaces CLI Hierarchy
On SRX100, SRX210, SRX220, SRX240, SRX650, and all J Series devices, the following
interface hierarchy CLI commands are not supported. However, if you enter these
commands in theCLI editor, they appear to succeedanddonot display anerrormessage.
• Aggregated Interface CLI on page 156
• ATM Interface CLI on page 157
• Ethernet Interfaces on page 158
• GRE Interface CLI on page 158
• IP Interface CLI on page 158
• LSQ Interface CLI on page 159
• PT Interface CLI on page 159
• T1 Interface CLI on page 159
• VLAN Interface CLI on page 160
Aggregated Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
request lacp link-switchover ae0
set interfaces ae0 aggregated-ether-options lacp link-protection
set interfaces ae0 aggregated-ether-options link-protection
Copyright © 2011, Juniper Networks, Inc.156
Junos OS 11.4 Release Notes
ATM Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces at-1/0/0 container-options
set interfaces at-1/0/0 atm-options ilmi
set interfaces at-1/0/0 atm-options linear-red-profiles
set interfaces at-1/0/0 atm-options no-payload-scrambler
set interfaces at-1/0/0 atm-options payload-scrambler
set interfaces at-1/0/0 atm-options plp-to-clp
set interfaces at-1/0/0 atm-options scheduler-maps
set interfaces at-1/0/0 unit 0 atm-l2circuit-mode
set interfaces at-1/0/0 unit 0 atm-scheduler-map
set interfaces at-1/0/0 unit 0 cell-bundle-size
set interfaces at-1/0/0 unit 0 compression-device
set interfaces at-1/0/0 unit 0 epd-threshold
set interfaces at-1/0/0 unit 0 inverse-arp
set interfaces at-1/0/0 unit 0 layer2-policer
set interfaces at-1/0/0 unit 0 multicast-vci
set interfaces at-1/0/0 unit 0 multipoint
set interfaces at-1/0/0 unit 0 plp-to-clp
set interfaces at-1/0/0 unit 0 point-to-point
set interfaces at-1/0/0 unit 0 radio-router
set interfaces at-1/0/0 unit 0 transmit-weight
set interfaces at-1/0/0 unit 0 trunk-bandwidth
157Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
Ethernet Interfaces
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ge-0/0/1 gigether-options ignore-l3-incompletes
set interfaces ge-0/0/1 gigether-options mpls
set interfaces ge-0/0/0 stacked-vlan-tagging
set interfaces ge-0/0/0 native-vlan-id
set interfaces ge-0/0/0 radio-router
set interfaces ge-0/0/0 unit 0 interface-shared-with
set interfaces ge-0/0/0 unit 0 input-vlan-map
set interfaces ge-0/0/0 unit 0 output-vlan-map
set interfaces ge-0/0/0 unit 0 layer2-policer
set interfaces ge-0/0/0 unit 0 accept-source-mac
set interfaces fe-0/0/2 fastether-options source-address-filter
set interfaces fe-0/0/2 fastether-options source-filtering
set interfaces ge-0/0/1 passive-monitor-mode
GRE Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces gr-0/0/0 unit 0 ppp-options
set interfaces gr-0/0/0 unit 0 layer2-policer
IP Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces ip-0/0/0 unit 0 layer2-policer
set interfaces ip-0/0/0 unit 0 ppp-options
set interfaces ip-0/0/0 unit 0 radio-router
Copyright © 2011, Juniper Networks, Inc.158
Junos OS 11.4 Release Notes
LSQ Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces lsq-0/0/0 unit 0 layer2-policer
set interfaces lsq-0/0/0 unit 0 family ccc
set interfaces lsq-0/0/0 unit 0 family tcc
set interfaces lsq-0/0/0 unit 0 family vpls
set interfaces lsq-0/0/0 unit 0 multipoint
set interfaces lsq-0/0/0 unit 0 point-to-point
set interfaces lsq-0/0/0 unit 0 radio-router
PT Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces pt-1/0/0 gratuitous-arp-reply
set interfaces pt-1/0/0 link-mode
set interfaces pt-1/0/0 no-gratuitous-arp-reply
set interfaces pt-1/0/0 no-gratuitous-arp-request
set interfaces pt-1/0/0 vlan-tagging
set interfaces pt-1/0/0 unit 0 radio-router
set interfaces pt-1/0/0 unit 0 vlan-id
T1 Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces t1-1/0/0 receive-bucket
set interfaces t1-1/0/0 transmit-bucket
set interfaces t1-1/0/0 encapsulation ether-vpls-ppp
set interfaces t1-1/0/0 encapsulation extended-frame-relay
set interfaces t1-1/0/0 encapsulation extended-frame-relay-tcc
159Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
set interfaces t1-1/0/0 encapsulation frame-relay-port-ccc
set interfaces t1-1/0/0 encapsulation satop
set interfaces t1-1/0/0 unit 0 encapsulation ether-vpls-fr
set interfaces t1-1/0/0 unit 0 encapsulation frame-relay-ppp
set interfaces t1-1/0/0 unit 0 layer2-policer
set interfaces t1-1/0/0 unit 0 radio-router
set interfaces t1-1/0/0 unit 0 family inet dhcp
set interfaces t1-1/0/0 unit 0 inverse-arp
set interfaces t1-1/0/0 unit 0 multicast-dlci
VLAN Interface CLI
• The followingCLI commandsarenot supported.However, if youenter thesecommands
in the CLI editor, they appear to succeed and do not display an error message.
set interfaces vlan unit 0 family tcc
set interfaces vlan unit 0 family vpls
set interfaces vlan unit 0 accounting-profile
set interfaces vlan unit 0 layer2-policer
set interfaces vlan unit 0 ppp-options
set interfaces vlan unit 0 radio-router
Protocols Hierarchy
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following CLI
commands are not supported. However, if you enter these commands in theCLI editor,
they will appear to succeed and will not display an error message.
set protocols bfd no-issu-timer-negotiation
set protocols bgp idle-after-switch-over
set protocols l2iw
set protocols bgp family inet flow
set protocols bgp family inet-vpn flow
set protocols igmp-snooping vlan all proxy
Copyright © 2011, Juniper Networks, Inc.160
Junos OS 11.4 Release Notes
Routing Hierarchy
• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following
routing hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set routing-instances < instance_name > services
set routing-instances < instance_name > multicast-snooping-options
set routing-instances < instance_name > protocols amt
set routing-options bmp
set routing-options flow
Services Hierarchy
• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following
services hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set services service-interface-pools
SNMPHierarchy
• OnSRX100, SRX210, SRX220, SRX240, SRX650, andall J Series devices, the following
SNMP hierarchy CLI commands are not supported. However, if you enter these
commands in the CLI editor, they appear to succeed and do not display an error
message.
set snmp community < community_name > logical-system
set snmp logical-system-trap-filter
set snmp trap-options logical-system
set snmp trap-group d1 logical-system
SystemHierarchy
• On all SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the following system
hierarchy CLI commands are not supported. However, if you enter these commands
in the CLI editor, they appear to succeed and do not display an error message.
set system diag-port-authentication
RelatedDocumentation
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
•
161Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries
Services Gateways and J Series Services Routers on page 172
Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and JSeries Services Routers
The following problems currently exist in Juniper Networks Branch SRX Series Services
Gateways and J Series Services Routers. The identifier following the description is the
tracking number in the Juniper Networks Problem Report (PR) tracking system.
Aplication Layer Gateway(ALG)
• On SRX650 devices, when MGCP ALG is enabled and the MGCP traffic traverses the
device, the device crashes and generates core files. [PR/602694]
Chassis Cluster
• OnSRX240HighMemory devices, an image upgrade from JunosOSRelease 10.3 does
not support the ?validate? option. Software upgrade can be done using the
?no-validate? option. [PR/600467]
• On all branch SRX devices, in a chassis cluster, the status of the UTMSurf Control CPA
web filtering server in the primary node is down when the server is reachable.
[PR/701479]
• On all branch SRX Series devices running chassis cluster, if the external VPN interface
is loopback, the device uses the physical interface IP after RG0 failover.
As a workaround, clear the IKE security association (SA) after RG0 failover. It will also
help to configure the IKE SA lifetime to be shorter than the IPsec SA lifetime because
the new IKE SAwill be created any time the IPsec SA rekeys. [PR/707291]
Flow and Processing
• On J2350devices, CPUutilization rises sharplywith 3000 connections per second due
to rtlogd and eventd daemons consuming high CPU resources. [PR/586224]
• On SRX650 devices, the secondary node is not available due to an increase in OLC
messages. [PR/590739]
• On all branch SRX Series devices, changes in policer, filter, or sampling configuration
cause core files to be generated whenmulticast traffic is received. [PR/613782]
• OnSRX240devices,when thedeviceupdates thememorywith the softwaremulticast
next hop index, it does not take into account the state of the logical aggregate child
interface. [PR/668676]
• On SRX650 and SRX240 devices, the throughput performance of Surf Control Web
Filter has dropped. When you require the previous level of throughput performance,
do not upgrade to Release 11.4R1. [PR/671777]
• On SRX100 High Memory devices, we do not recommend using the predefined policy
template IDP_Default as the active policy with the latest signature package installed.
Other policies from the policy templates can be used as the active policy. [PR/671977]
Copyright © 2011, Juniper Networks, Inc.162
Junos OS 11.4 Release Notes
• On SRX100, SRX210, and SRX210 devices, flow and packet performance, and drop in
gre and gre_ipsec, is observed. [PR/682501]
• On SRX210 devices, Packet Forwarding Engine core files are observed periodically.
[PR/697032]
• On J4350, SRX550, and SRX650 devices, when the peers are connected directly
through the t1 link and the ge link, pinging to the peer link local address of the t1 link
interface does not go through the t1 link, but through the ge link instead. [PR/684159]
• On all branch SRX Series devices, a memory leak occurs during the audit event
processing.
As a workaround, enable the security log cache using the edit security log cache
configuration statement. [PR/698907]
• OnSRX210andSRX240devices, youcanobserveaperformancedropof theKaspersky
antivirus solution. [PR/704838]
• On SRX220 devices, performance drops on Generic Routing Encapsulation (GRE)
tunnel interface. [PR/706412]
Interfaces and Routing
• On SRX210 High Memory devices, a remote end ping will not check for the presence
of a packet size of more than 1480 because the packets are dropped for the default
MTU, which is 1496 at the interface and the default MTU of the remote host Ethernet
intf is 1514. [PR/469651]
• On J4350 devices, the routed interface (inet family) is not supported on the UPIMs
when PICmode is configured as “switching”. Only the switching functionality is
supported in this mode. [PR/590771]
• On SRX210, SRX220, and SRX240 devices, with an at-x/x/x interface (ADSL, VDSL
operating in at mode, and SHDSL), the difference between the MTU values on the
logical interface and the MTU values on the physical interface have to be exactly 40
bytes. If this is not the case, the IP information will not be displayed by the show
interfaces command output. [PR/591585]
• OnSRX210devices,G.SHDSL linedoesnotcometoshow-timewhenCPE isconfigured
with annex-auto in 2-wire or 4-wire mode with ADTRAN DSLAM, and in 2-wire mode
with Cisco DSLAM. [PR/686617]
• On SRX Series devices, a memory leak occurs during the audit event processing.
Workaround:Enable thesecurity logcacheusing theeditsecurity logcacheconfiguration
statement. [PR/698907]
• On SRX650 devices, when you enable application-firewall in policies back to back,
ping does not working. [PR/708532]
Intrusion Detection and Prevention (IDP)
• On SRX210 devices, a performance drop is observed for IDP.
163Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• On SRX240 devices, when downgrading from Junos Release 11.4 or above image to
Junos Release11.1 or earlier image, the security package gets deleted. Although it is
automatically installed when the IDP daemon comes up, this automatic install may
fail sometimes due to AI installation error. The status can be checked through
operational CLI router>request security idp security-package install status.
Asaworkaround,when the installation fails, thecustomerneeds tomanuallydownload
or install the complete update. [PR/705113]
• OnSRX210devices, IDPDdaemoncorewhenPFE isofflineduringpolicy loadoperation.
[PR/702321]
J-Web
• OnSRX210and J4350devices,we recommend that youavoid loggingout of thedevice
on the Troubleshoot>CLI Terminal page, because the logout option on the page is
hidden in the CLI. [PR/401772]
• On all branch SRX Series devices, performing software upload is not possible when
using the J-Web interface with the Mozilla Firefox browser of version 3.5 and later. As
a workaround, use Internet Explorer (IE) or Mozilla Firefox version 3. [PR/500039]
• OnSRX100devices, theMonitor>SystemView>ClusterStatuspage is not clearly visible
in Internet Explorer version 8. [PR/597025]
• On SRX100 Series devices, if node 0 is down, youmust use the CLI to see chassis
information. [PR/598228]
• On SRX100 devices, the fxp0 interface is not listed in the Configure>chassis
cluster>cluster configuration>edit node>interface dialog box. [PR/599032]
• On all branch SRX Series devices, J-Web will not increment the cluster reth count. As
a workaround, increment the reth count from CLI before configuring the redundancy
group for the first time. [PR/599193]
• On all branch SRX Series devices, J-Web shows invalid page while editing ppd0 and
ppe0 interfaces.Asaworkaround, useCLI for configuringppd0andppe0. [PR/660575]
• OnSRX650devices, in J-Web, theconfigurationchangecannotpass thecommit check;
therefore, you cannot delete the domain name of an address book. [PR/662618]
• On all branch SRX Series devices, in J-Web, DS3/E3 is not visible on chassis viewer.
[PR/662812]
• On all branch SRX Series devices, when you configure UTM features on the J-Web
interface, the buttons do not work in the antivirus windowswhen you use profile types
for express antivirus scanning and Sophos. [PR/683726]
• In the J-Web interface, if you discard any available MIB profile, file or predefined object
from "accounting-options" on the Point and Click CLI Configuration page (Configure
> CLI Tools > Point and Click CLI), the J-Web session times out. As a workaround,
perform the same operation from the CLI. [PR/689261]
• On all branch devices, when you configure the wireless LAN access point on the
Configure >Wireless LAN > Setting page, you cannot set Bolivia as a country.
[PR/691824]
Copyright © 2011, Juniper Networks, Inc.164
Junos OS 11.4 Release Notes
• On all branch devices, you cannot access the Help page directly from the Monitor
>Wireless LAN page. As a workaround, navigate to Monitor > Interfaces and click Help
>HelpContents. In theHelp page, click theWLAN link in the list of items underMonitor
Node. [PR/691915]
• On all branch devices, while editing the radio settings for a wireless LAN access point
on the Configure >Wireless LAN > Setting page, you cannot edit the virtual access
point. The security options configured are static-wep and dot1x. [PR/692195]
• On all branch devices, if the device monitors more than one access point, a packet
capture is enabled on one access point.When you try to see the details of other access
pointson theMonitor>WirelessLANpage, youseeaDataRefreshFailederrormessage.
As a workaround, enable or disable packet capture uniformly across all themonitored
access points. [PR/692344]
• On all branch devices, while configuring the security option of a virtual access point
under radio settings of awireless LAN access point with the valueWPAEnterprise, you
cannot configure the RADIUS Server fields under theWPA Enterprise security option.
[PR/692739]
• On SRX100, SRX210, SRX240, and SRX650 devices, the country code configured for
the AX411 Wireless LAN Access Point connected to the device on the Configure
>Wireless LAN > Setting page, does not reflect properly on theMonitor >Wireless LAN
page. [PR/692740]
• On all branch SRX Series devices, upgrading the access point using J-Web (Configure
>Wireless LAN > Firmware Upgrade) does not work. [PR/694627]
• On all branch devices, users cannot configure Supported rates and Supported Basic
rates with different values on the Configure >Wireless LAN > Setting page. J-Web
takes the values while deploying the configuration. [PR/696627]
• On all branch devices, the protection field is cleared when a user uses the Edit Radio
option button to edit the advanced options on the Configure >Wireless LAN > Setting
page. [PR/696629]
• Onall branchSRXdevices, youcannot view theaccesspointdetails of anactiveaccess
point from the J-WebMonitor >Wireless LAN page. [PR/700513]
• On all branch SRX devices, in Internet Explorer, the dashboard panels do not showany
data until they are refreshed. [PR/703958]
Layer 2 Transparent Mode
• The transition from Layer 3 to Layer 2 mode impossible if more than one logical
interfaces is configured under an interface, such as:
• ge-0/0/4.2 up up inet 16.1.1.2/24
• ge-0/0/4.3 up up inet 16.1.1.3/24
• ge-0/0/4.4 up up inet 16.1.1.4/24
• ge-0/0/4.5 up up inet 16.1.1.5/24
• ge-0/0/4.6 up up inet 16.1.1.6/24
165Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
[PR/699497]
• On all branch SRX Series devices, while you transition from Layer 3 mode to Layer 2
mode, if anypart of themanagement interface is under vlan.o, J-Web loses connectivity
and cannot move from Layer 3 mode to Layer 2 mode. [PR/705004]
Network Address Translation (NAT)
• On all branch SRX Series devices, when you configure two static NAT rules in default
routing-instance with same prefix, one rule is configured without static-nat prefix
routing-instance default, and the other rule which will have the commit will have no
overlapped prompt info and will complete.
Do not use same static NAT prefix addresses in two rules in default routing-instance
with one rule as static-nat prefix routing-instance default configuration and the other
rule as none. [PR/708433]
Upgrade and Downgrade
• On all branch SRX Series devices, application identification does not support the
downgrade of an image when you attempt to downgrade the device from Junos OS
Release 12.1 to Release 11.4. Youmust download and install the signature database
once again.
If you upgrade the device from Junos OS Release 11.4 to Release 12.1, application
identification signature will take about 30 seconds to recompile. During these 30
seconds, application identification does not identify the traffic, and traffic is dropped
by application firewall as an unknown session. [PR/689304]
UTM
• Onall branchSRXdevices, themaximumnumberof connectionsper secondsupported
by the EnhancedWeb Filtering solution is less than that supported by the Surf control
solution. [PR/609094]
• On SRX210 devices, UTM EAV status shows Engine not ready (Database Loading)
even after successfully loading the database. This issue occurs occasionally after the
image upgrade or downgrade, and on a system reboot.
As a workaround, delete the pattern database and issue pattern-update, with the
following operational commands:
• request security utm anti-virus juniper-express-engine pattern-delete
• request security utm anti-virus juniper-express-engine pattern-update
[PR/693530]
• On all branch SRX devices, when the EnhancedWeb Filtering withWebsense cache
is disabled, incrementing in the fallback default counters occurs and the transaction
rate is greater than or equal to 200 per second. [PR/696183]
• On all branch SRX devices with UTM EnhancedWeb Filtering enabled, entries in the
log file are available for all URLs that have been directed to the client for a safe search
Copyright © 2011, Juniper Networks, Inc.166
Junos OS 11.4 Release Notes
but no entries are available for URLs that have already had a safe search applied to
them. [PR/696495]
• On all branch SRX devices with EnhancedWeb Filtering withWebsense enabled, the
TCP connections from the device to the ThreatSeeker Cloud (TSC) server are
established without a valid feature license. [PR/698596]
• On J Series devices, do not upgrade UTM feature to Release 11.4R1. [PR/707622]
VPN
• On SRX240 and SRX650 devices, when there is simultaneous negotiation, youmay
seemultiple IPSec SA and IKE SA for same peer. This will not affect any functionality.
[PR/594860]
• OnSRX240devices, on reboot “mgd commit” fails when you configureStaticNext hop
tunnel bundling. [PR/695671]
RelatedDocumentation
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
•
• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 139
• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries
Services Gateways and J Series Services Routers on page 172
Resolved Issues in JunosOSRelease 11.4 for BranchSRXSeries ServicesGateways and J SeriesServices Routers
The following are the issues that have been resolved since Junos OS Release 11.2 for
Juniper Networks branch SRX Series Services Gateways and J Series Services Routers.
The identifier following the description is the tracking number in the Juniper Networks
Problem Report (PR) tracking system.
167Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
Application Layer Gateways (ALGs)
• On SRX210 devices, you used OpenPhone in fast start/slow start tunnel mode and
another phone in normal mode, the call failed. [PR/684951: This issue has been
resolved.]
Authentication
• On SRX650 devices, authentication failure occurred when a new user was added.
[PR/661720: This issue has been resolved.]
Chassis Cluster
• On SRX240 and SRX650 devices, in a chassis cluster, telnet/ssh to RVI traffic through
secondary node ports timed out within 20 seconds. [PR/567805: This issue has been
resolved.]
• On SRX650 devices, some interfaces on node0 in the chassis cluster showed
unspecified speed and half-duplex. [PR/597575: This issue has been resolved.]
• On SRX650 devices, the antivirus feature caused forwarding slowness at traffic peaks
due to amemory issue related to scanning of SMTP traffic. [PR/610336: This issue
has been resolved.]
• On SRX650 devices in a chassis cluster, failover took more than 5 seconds when the
monitored interface flapped. The switch link scan had originally been set for 4 seconds
and is now set for 0.5 seconds, thereby speeding up the link detection process.
[PR/664851: This issue has been resolved.]
• On SRX210, SRX220, SRX240, and SRX650 devices, if the ISSU failed and only one
device in theclusterwasupgraded, rollback to theprevious configurationon thatdevice
was achieved only by using the following commands on the upgraded device:
• request chassis cluster in-service-upgrade abort
• request system software rollback
• request system reboot
[PR/670955: This issue has been resolved.]
• On SRX650 devices, when a second node was not present in a chassis cluster
configuration, any new provision of redundancy group got stuck in secondary state.
[PR/685322: This issue has been resolved.]
• On SRX650 devices, for switching deployment in chassis cluster, multicast traffic was
duplicated. [PR/689153: This issue has been resolved.]
Copyright © 2011, Juniper Networks, Inc.168
Junos OS 11.4 Release Notes
DHCP
• On J4350 devices, the DHCP client lease did not have the correct attributes during
static lease renewal by the DHCP server to the client. The static binding lease given by
the server was the default lease time; however, the lease end time should have been
"never". [PR/665084: This issue has been resolved.]
Flow and Processing
• OnSRX210, SRX220, SRX240, SRX650, and J Series devices, the TCP connections per
second drop was anticipated. [PR/550444: This issue has been resolved.]
• On SRX210, SRX240, and SRX650 devices, handling traffic requires fragmentation of
packets that were not passing or had large latency. [PR/590480: This issue has been
released.]
• On SRX100 devices, when the device was switched from Layer 3 to Layer 2 mode, the
user was prompted to reboot the device. If the device was not rebooted and was
switched back to Layer 3mode, a core file was generated. [PR/605293: This issue has
been resolved.]
• OnSRX210HighMemorydevices,when theanchor interfaceofGREthe tunnel interface
was configured to get IP by CX111, the GRE tunnel was not created, CX111 was restarted.
[PR/605529: This issue has been resolved.]
• On J6350 devices, when the CLI command restart forwarding gracefully in chassis
cluster mode was executed, the FPC remained offline. [PR/605657: This issue has
been resolved.]
• On SRX220 devices, the show security policy <policy-name> inconsistently showed
thepossible objects (security policy names) in theoperationandconfigurationmodes.
[PR/608664: This issue has been resolved.]
• On J2320 devices, the E1 connected interface dropped traffic and generated a core file.
[PR/609720: The issue has been resolved.]
• On SRX210, SRX220, and J6350 devices, when the interface configuration changed
continuously, theOSPF got stuck at the init state over the E1/T1 link. [PR/660264: This
issue has been resolved.]
• On SRX100, SRX210, SRX220, and SRX240 LowMemory devices, due to memory
allocations, traffic stopped passing when ALG-based traffic was used. [PR/664378:
This issue has been resolved.]
• On SRX240 devices, packet mode reordering of packets failed in multithreaded
platforms for multicast flows that had to go out on a single egress interface.
[PR/669046: This issue has been resolved.]
• On SRX210 devices, the 80th, 160th, 240th, and so on character of the message was
lost while sending messages between users using the requestmessage command.[PR/670106: This issue has been resolved.]
• On J2350 devices, the vrf-table-label could not be used when you used the
encapsulation type flexible-ethernet-services. [PR/671286: This issue has been
resolved.]
169Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• On SRX240 devices, when host-originated packets were sent out through the
gr-interface, both local and transit counters did not increment for this interface.
[PR/676970: This issue has been resolved.]
• On SRX100, SRX210, SRX220, SRX240, SRX650 and J Series devices, Remote MAC
Learning for VPLS did not work. [PR/687956: This issue has been resolved.]
• OnSRX210 devices, core files for pfe daemonswere observed. [PR/697032: This issue
has been resolved.]
Interfaces and Routing
• On SRX650 devices, when you rebooted the secondary node, the multicast session
was rebuilt, and there were extra leaves sessions with local0 as the outgoing interface
setup. [PR/604084: This issue has been resolved.]
• On SRX650 and J4350 devices, when OSPF was used over IPsec, a core file was
generated when the routing process was restarted. [PR/606272: This issue has been
resolved.]
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, VLAN to interface
disassociation did not work properly. [PR/662942: This issue has been resolved.]
• On SRX240 devices, no optical diagnostics were available for the ge interface on the
1xGEHigh-PerformanceSFPMini-PIMPIC. [PR/666315: This issuehasbeen resolved.]
• OnSRX210 devices, monitor traffic disables VPLS service. [PR/670230: This issue has
been resolved.]
• On SRX210 devices, when processing traffic from or to the SRX devices (host-bound
traffic),GRE interfacecounters showed incorrect valuesanddecrementedoccasionally.
This was a display issue, as traffic was still being processed normally and no packets
were lost. [PR/672302: This issue has been resolved.]
• On SRX240 devices, an error message was displayed when committing a DNAT pool
configuration with an IP address of 0.0.0.0/0 even though the commit executed
successfully. [PR/682915: This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
• On SRX650 devices, VRRP hello packets were lost during IDP pattern update.
[PR/590838: This issue has been resolved.]
J-Web
• On the Security >Filters >IPv4 page and IPv6 firewall filters page, when users added
a new IPv4 filter name and clicked the Add button, the change was not reflected on
the pages. In addition, the configure firewall filter page did not appear. [PR/576194:
This issue has been resolved.]
• On SRX210 devices, in the J-Web interface, if you discard any available MIB profile, file,
orpredefinedobject from"accounting-options"on thePointandClickCLIConfiguration
page (Configure > CLI Tools > Point and Click CLI), the J-Web session timed out.
[PR/689261: This issue has been resolved.]
Copyright © 2011, Juniper Networks, Inc.170
Junos OS 11.4 Release Notes
• On SRX110 devices, the J-Web interface did not work on the SRX110H-VBmodels.
[PR/689614: This issue has been resolved.]
License
• The SRX210, SRX220, SRX240, and SRX650 devices had two free dynamic VPN user
licenses, but the LICENSE_EXPIRED alarmwas generated if fewer than two users
connected to theVPNonSRXSeriesdevices. [PR/661417:This issuehasbeen resolved.]
• On SRX210 and SRX240 devices with DC Power Supply, the default licenses did not
work. [PR/667526: This issue has been resolved.]
NAT
• OnSRX240devices,whenyouconfigure IPaddresses forproxy-ARPunder “theSecurity
NAT configuration”, the device failed to respond to ARP-probe packets. [PR/663507:
This issue has been resolved]
Switching
• On SRX210, SRX220, and J Series devices, the Dot1x-enabled port flooded traffic
without authentication. [PR/687053: This issue has been resolved.]
UTM
• On SRX650 devices, a commit error occurred when the policy used UTM:
"application-services' warning: license not installed for". [PR/600941: This issue has
been resolved.]
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, when you added a
date-based license, thedeviceaccepted the license, but theadditionwasnotdisplayed
in the Licenses installed field of the output for the show system license command. The
Expiry field showed “invalid or X days”, depending on whether the grace period was
available or not. [PR/665111: This issue has been resolved.]
• OnSRX210devices, theHTTPdownloadingconnection forUTMantiviruswasdropped
when the file exceeded 2 GB. [PR/668818: This issue has been resolved.]
• On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, you could enable the
EnhancedWebFiltering featureofUTMwitha license for theSurfControlWebFiltering
feature. [PR/686290: This issue has been resolved.]
Virtual Private Network (VPN)
• On SRX210 devices, when the "@" sign was included in the dynamic hostname, the
clear security dynamic-vpn user returned an error:
"Invalid usernameor ike id for user xxxx.Noentrywascleared." [PR/608342:This issue
has been resolved.]
• On SRX650 devices, the DSCP tagged packets coming in from a VPN tunnel were not
classified and were placed in the default best-effort queue on the egress interface.
[PR/664820: This issue has been resolved.]
171Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
RelatedDocumentation
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
•
• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 139
• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries
Services Gateways and J Series Services Routers on page 172
ErrataandChanges inDocumentation for JunosOSRelease 11.4 forBranchSRXSeriesServicesGateways and J Series Services Routers
Errata for the Junos OS Software Documentation
This section lists outstanding issues with the software documentation.
Junos OS CLI Reference
• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in
proposal-set (IPsec) section. The IPsec proposals should be as follows:
• basic—nopfs-esp-des-sha and nopfs-esp-des-md5
• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
Copyright © 2011, Juniper Networks, Inc.172
Junos OS 11.4 Release Notes
• standard—g2-esp-3des-sha and g2-esp-aes128-sha
J Series Services Router AdvancedWANAccess Configuration Guide
• The example given in the “Configuring Full-Cone NAT” section in the J Series Services
Router AdvancedWAN Access Configuration Guide available at
http://www.juniper.net/techpubs/software/jseries/junos85/index.html is incorrect. The
correct and updated example is given in the J Series Services Router AdvancedWAN
Access Configuration Guide available at
http://www.juniper.net/techpubs/software/jseries/junos90/) .
J2320, J2350, J4350, and J6350 Services Router Getting Started Guide
• The “Connecting to the CLI Locally” section in the J2320, J2350, J4350, and J6350
Services Router Getting Started Guide states that the required adapter type is DB-9
female toDB-25male. This is incorrect; the correct adapter type isDB-9male toDB-25
male.
Junos OS Feature Support Reference for SRX Series and J Series Devices
• Junos OS Feature Support Reference for SRX Series and J Series Devices chapter 2
’Feature Support Tables’, row 1 of Table 50: Transparent Mode Support, incorrectly
states that bridge domain and transparentmode feature is not supported on SRX100,
SRX210,SRX220,SRX240,andSRX650devices.Bridgedomainand transparentmode
feature is supported on all the listed devices from Junos OS Release 11.1.
J-Web
• J-Web security package update Help page—The J-Web Security Package UpdateHelp page does not contain information about the download status.
• J-Web pages for stateless firewall filters—There is no documentation describing theJ-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6Firewall Filters. After configuring the filters, select Assign to Interfaces to assign yourconfigured filters to interfaces.
• J-WebConfiguration Instructions—Becauseofongoing J-Web interfaceenhancements,
some of the J-Web configuration example instructions in the Junos administration and
configuration guides became obsolete and thus were removed. For examples that are
missing J-Web instructions, use the provided CLI instructions.
Junos OS Security Configuration Guide
• In Chapter 1, “Understanding Flow-Based Processing,” of the Junos OS Security
Configuration Guide a figure showed incorrect placement of static, destination, and
source NAT. The figure has been corrected in Junos OS Release 11.4.
• The Junos OS Security Configuration Guide incorrectly states that the release supports
security chains, which validate a certificate path upward through eight levels of CA
authorities in the PKI hierarchy. The release does not support security chains.
173Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
• The JunosOSSecurityConfigurationGuide incorrectly states that “ForSRXSeries chassis
clusters made up of SRX100,SRX210,SRX220,SRX240, or SRX650 devices, SFP
interfaces onMini-PIMs cannot be used as the fabric link”. However, the SFP interfaces
on Mini-PIMs can be used as the fabric link with the following limitation:
“Duringnode failover, sometimesprimarynodegoes todisabledstateand fabricprobes
are not received”.
Junos OSWLAN Configuration and Administration Guide
• This guide is missing information that the AX411 Access Point can bemanaged from
SRX100 and SRX110 devices.
Errata for the Junos OSHardware Documentation
This section lists outstanding issues with the hardware documentation.
AX411 Access Point Hardware Guide
• The AX411 Access Point Hardware Guide incorrectly documents themaximum number
of supported access points on the SRX Series devices. The document should state
that on the SRX210, SRX240, and SRX650 devices, you can configure andmanage up
to four access points (maximum).
• This guide is missing information that the AX411 Access Point can bemanaged from
SRX100 and SRX110 devices.
J Series Services Routers Hardware Guide
• In the J Series Services Routers Hardware Guide, the procedure “Installing a DRAM
Module” omits the following condition:
All DRAMmodules installed in the router must be the same size (in megabytes), type,
andmanufacturer. The routermightnotworkproperlywhenDRAMmodulesofdifferent
sizes, types, or manufacturer are installed.
• The J Series Services Routers Hardware Guide incorrectly states that only the J2350
Services Router complies with Network Equipment Building System (NEBS) criteria.
The document should state that the J2350, J4350, and J6350 routers comply with
NEBS criteria.
• The J Series Services Routers Hardware Guide is missing adding information about
100Base-LX connector support for 1-port and 6-port Gigabit Ethernet uPIMs.
Copyright © 2011, Juniper Networks, Inc.174
Junos OS 11.4 Release Notes
SRX Series Services Gateways for the Branch Physical Interface Modules HardwareGuide
• In the “SRXSeriesServicesGateway InterfacesPowerandHeatRequirements” section,
the PIM Power Consumption Values table contains the power consumption value for
the 1-port Gigabit Ethernet Small Form-Factor Pluggable (SFP)Mini-PIM value as 3:18
W.
Thecorrectpowerconsumptionvalue for the 1-portGigabitEthernetSmall Form-Factor
Pluggable (SFP) Mini-PIM is 4:4W.
SRX100 Services Gateway Hardware Guide
• In the “Connecting an SRX100 Services Gateway to the J-Web Interface” section, the
following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported asbackward compatible fromMicrosoft Internet Explorer version 7.0.
SRX210 Services Gateway Hardware Guide
• In the “Connecting an SRX210 Services Gateway to the J-Web Interface” section, the
following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported asbackward compatible fromMicrosoft Internet Explorer version 7.0.
SRX240 Services Gateway Hardware Guide
• In the “Connecting the SRX240 Services Gateway to the J-Web Interface” section, the
following information is missing in the note:
NOTE: Microsoft Internet Explorer version 6.0 is also supported asbackward compatible fromMicrosoft Internet Explorer version 7.0.
Quick Start Guides
• In the SRX210 Services Gateway 3G ExpressCard Quick Start, several tasks are listed in
the wrong order. “Task 6: Connect the External Antenna” should appear before “Task
3: Check the 3G ExpressCard Status,” because the user needs to connect the antenna
before checking the status of the 3G ExpressCard. The correct order of the tasks is as
follows:
1. Install the 3G ExpressCard
2. Connect the External Antenna
3. Check the 3G ExpressCard Status
175Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
4. Configure the 3G ExpressCard
5. Activate the 3G ExpressCard Options
• In the SRX210 Services Gateway 3G ExpressCard Quick Start, in “Task 6: Connect the
External Antenna,” the following sentence is incorrect and redundant: “The antenna
hasamagneticmount, so itmustbeplaced faraway fromradio frequencynoise sources
including network components.”
• In the SRX210 3G Quick Start Guide, in the “Frequently Asked Questions” section, the
answer to the following question contains an inaccurate and redundant statement:
Q: Is an antenna required? Howmuch does it cost?
A: The required antenna is packaged with the ExpressCard in the SRX210 Services
Gateway3GExpressCard kit at noadditional charge. Theantennawill have amagnetic
mount with ceiling and wall mount kits within the package.
In the answer, the sentence “The antennawill have amagneticmountwith ceiling and
wall mount kits within the package” is incorrect and redundant.
SRX210 Services Gateway Quick Start Guide
• Installing Software Packages—The SRX210 Services Gateway Hardware Guide is
missing the following information:
On SRX210 devices, the /var hierarchy is hosted in a separate partition (instead of the
root partition). If Junos OS installation fails as a result of insufficient space:
1. Use the request system storage cleanup command to delete temporary files.
2. Delete any user-created files both in the root partition and under the /var hierarchy.
RelatedDocumentation
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
•
• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 139
Upgrade andDowngrade Instructions for JunosOSRelease 11.4 for BranchSRXSeries ServicesGateways and J Series Services Routers
In order to upgrade to Junos OS Release 11.4 or later, your device must be running one of
the following Junos OS Releases:
• 9.1S1
• 9.2R4
• 9.3R3
• 9.4R3
• 9.5R1 or later
Copyright © 2011, Juniper Networks, Inc.176
Junos OS 11.4 Release Notes
If your device is running an earlier release, upgrade to one of these releases and then to
the 11.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release
9.2R4 and then to Release 11.4.
For additional upgrade and download information, see the Junos OS Initial Configuration
Guide for Security Devices and the Junos OSMigration Guide.
• Upgrade and Downgrade Scripts for Address Book Configuration on page 177
• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 179
• Hardware Requirements for Junos OS Release 11.4 for SRX Series Services Gateways
and J Series Services Routers on page 179
Upgrade and Downgrade Scripts for Address Book Configuration
Beginningwith JunosOSRelease 11.4, youcanconfigureaddressbooksunder the [security]
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached
configuration formatorunder the [securityzones]hierarchy inazone-definedconfiguration
format; the CLI displays an error and fails to commit the configuration if you configure
both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the
address book configuration formats (see Figure 1 on page 178).
• About Upgrade and Downgrade Scripts on page 177
• Running Upgrade and Downgrade Scripts on page 178
About Upgrade and Downgrade Scripts
After downloading Junos OS Release 11.4, you have the following options for configuring
the address book feature:
• Use the default address book configuration—You can configure address books using
the zone-defined configuration format, which is available by default. For information
on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
• Usetheupgradescript—Youcan run theupgradescriptavailableon the JuniperNetworks
support site to configure address books using the new zone-attached configuration
format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules
remain unaffected.
After upgrading to the zone-attached address book configuration:
• You cannot configure address books using the zone-defined address book
configuration format; the CLI displays an error and fails to commit.
• You cannot configure address books using the J-Web interface.
177Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
For information on how to configure zone-attached address books, see the Junos OS
Release 11.4 documentation.
• Use the downgrade script—After upgrading to the zone-attached configuration, if you
want to revert to the zone-defined configuration, use the downgrade script available
on the JuniperNetworks support site. For informationonhowtoconfigure zone-defined
address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.
Figure 1: Upgrade and Downgrade Scripts for Address Books
zone-attachedaddress bookconfiguration
Download Junos OSRelease 11.2 or later.
Run the upgrade script.
- Global address book isavailable by default.
- Address book is defined underthe security hierarchy.
- Zones need to be attachedto address books.
Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.
Run the downgrade script.
zone-definedaddress book
g030
699
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
• The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-definedaddressbookandzone-attachedaddressbookconfigurations
are present on your system at the same time, the scripts will not run.
• The scripts cannot run when the global address book exists on your system.
• If you upgrade your device to Junos OS Release 11.4 and configure logical systems, the
master logical system retains any previously-configured zone-defined address book
configuration. Themaster administrator can run the address book upgrade script to
Copyright © 2011, Juniper Networks, Inc.178
Junos OS 11.4 Release Notes
convert the existing zone-defined configuration to the zone-attached configuration.
Theupgradescript convertsall zone-definedconfigurations in themaster logical system
and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For informationabout implementingandexecuting Junosoperation scripts, see the Junos
OS Configuration and Operations Automation Guide.
Upgrade Policy for Junos OS Extended End-Of-Life Releases
An expanded upgrade and downgrade path is now available for the Junos OS Extended
End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of
twoadjacent later EEOL releases. Youcanalsodowngradedirectly fromoneEEOL release
to one of two adjacent earlier EEOL releases.
For example, JunosOSReleases9.3, 10.0, and 10.4areall EEOL releases. Youcanupgrade
from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to
10.4, you first need toupgrade to JunosOSRelease9.3or 10.0, and thenupgradeasecond
time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
or 9.3, and then perform a second downgrade to Release 8.5.
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by nomore than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Hardware Requirements for Junos OS Release 11.4 for SRX Series ServicesGateways and J Series Services Routers
Transceiver Compatibility for SRX Series and J Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used
on SRX Series and J Series interface modules. Different transceiver types (long-range,
short-range, copper, andothers) canbeused togetheronmultiportSFP interfacemodules
as long as they are providedby JuniperNetworks.We cannot guarantee that the interface
module will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
Power and Heat Dissipation Requirements for J Series PIMs
On J Series Services Routers, the systemmonitors the PIMs and verifies that the PIMs
fall within the power and heat dissipation capacity of the chassis. If powermanagement
is enabled and the capacity is exceeded, the system prevents one or more of the PIMs
from becoming active.
179Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
CAUTION: Disabling thepowermanagement can result in hardwaredamageif you overload the chassis capacities.
You can also use CLI commands to choose which PIMs are disabled. For details about
calculating the power and heat dissipation capacity of each PIM and for troubleshooting
procedures, see the J Series Services Routers Hardware Guide.
Supported Third-Party Hardware
The following third-party hardware is supported for use with J Series Services Routers
running Junos OS.
• USBModem
WerecommendusingaU.S.RoboticsUSB56KV.92Modem,model numberUSR5637.
• Storage Devices
TheUSBslots on JSeriesServicesRouters accept aUSBstoragedevice orUSBstorage
device adapter with a CompactFlash card installed, as defined in the CompactFlash
Specification published by the CompactFlash Association. When the USB device is
installedandconfigured, it automatically actsasasecondarybootdevice if theprimary
CompactFlash card fails on startup. Depending on the size of the USB storage device,
you can also configure it to receive any core files generated during a router failure. The
USB device must have a storage capacity of at least 256 MB.
Table 14 on page 180 lists the USB and CompactFlash card devices supported for use
with the J Series Services Routers.
Table 14: Supported Storage Devices on the J Series Services Routers
Third-Party Part NumberStorage CapacityManufacturer
SDCZ2-256-A10256MBSanDisk—Cruzer Mini 2.0
SDCZ3-512-A10512 MBSanDisk
SDCZ7-1024-A101024 MBSanDisk
DTI/512KR512 MBKingston
DTI/1GBKR1024 MBKingston
SDDR-91-A15N/ASanDisk—ImageMate USB 2.0Reader/Writer for CompactFlash Type Iand II
SDCFB-512-455512 MBSanDisk CompactFlash
SDCFB-1000.A101 GBSanDisk CompactFlash
Copyright © 2011, Juniper Networks, Inc.180
Junos OS 11.4 Release Notes
J Series CompactFlash andMemory Requirements
Table 15 on page 181 lists the CompactFlash card and DRAM requirements for J Series
Services Routers.
Table 15: J Series CompactFlash Card and DRAMRequirements
MaximumDRAMSupported
MinimumDRAMRequired
MinimumCompactFlashCard RequiredModel
1 GB1 GB1 GBJ2320
1 GB1 GB1 GBJ2350
2 GB1 GB1 GBJ4350
2 GB1 GB1 GBJ6350
RelatedDocumentation
New Features in Junos OS Release 11.4 for Branch SRX Series Services Gateways and
J Series Services Routers on page 127
•
• Known Limitations in Junos OS Release 11.4 for Branch SRX Series Services Gateways
and J Series Services Routers on page 139
• Errata and Changes in Documentation for JunosOSRelease 11.4 for Branch SRXSeries
Services Gateways and J Series Services Routers on page 172
181Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for Branch SRX Series Services Gateways and J Series Services Routers
Junos OS Release Notes for High-End SRX Series Services Gateways
Powered by JunosOS, Juniper Networks high-end SRXSeries Services Gateways provide
robust networking and security services. They are designed to secure enterprise
infrastructure, datacenters, andserver farms.Thehigh-endSRXSeriesServicesGateways
include the SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
• New Features in Junos OS Release 11.4 for High-End SRX Series Services
Gateways on page 182
• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 195
• Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services
Gateways on page 198
• Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services
Gateways on page 212
• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services
Gateways on page 217
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
• UpgradeandDowngrade Instructions for JunosOSRelease 11.4 forHigh-EndSRXSeries
Services Gateways on page 223
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
The following features have been added to Junos OS Release 11.4. Following the
description is the title of the manual or manuals to consult for further information.
NOTE: For the latest updates about support and issues on Junos Pulse, seethe Junos Pulse Release Notes athttp://www.juniper.net/techpubs/en_US/junos-pulse1.0/information-products/
pathway-pages/junos-pulse/index.html .
• Software Features on page 183
Copyright © 2011, Juniper Networks, Inc.182
Junos OS 11.4 Release Notes
Software Features
AppSecure
• Application-aware quality of service (AppQoS )—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
AppQoS, the application-aware quality-of-service module in AppSecure, provides a
mechanism for prioritizing traffic utilizing the results of the Application Identification
Engine. AppQoS provides application-level traffic control for administrators needing
to ensure that business critical applications get preferential treatment.
AppQoS enables the network administrator to meter, mark, and honor traffic priority
based on application policies. It provides application-aware DSCPmarking by
implementingLayer-7application-basedDSCP rewriters. Toapplydifferent losspriority
levels todifferent traffic groups, Layer 2- to Layer4-basedhonoringhasbeenexpanded
to Layer 7. AppQoS accomplishes application-aware rate limiting by setting the
bandwidth limit and burst size limit for different applications.
[Junos OS Security Configuration Guide]
• Application groups—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
SRX Series devices allow consolidation of applications under a single group name.
Predefined application groups are downloaded as part of the application signature
database. User-defined groups can be created and deleted.
[Junos OS Security Configuration Guide ]
• Applicationgroupsupport forapplicationfirewall (AppFW)—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
SRXSeriesdevicesallowyou to configureapplication firewall policies usingapplication
group names. Application group names provide simplified, consistent reuse when
defining application firewall policies.
[Junos OS Security Configuration Guide ]
• Application signaturemanagement and usability enhancements—This feature issupported on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
JuniperNetworksprovides improvements in theusabilityandmanagementofpredefined
application signatures available through the Junos OS application signature package
subscription service.
• Previously, predefined application signature updateswere downloaded to the Junos
OS configuration file, resulting in an unnecessarily large file. To improve usability,
application signature updates are now downloaded and installed in a separate
application signature database on SRX1400, SRX3400, SRX3600, SRX5600, and
SRX5800 devices.
• Using CLI commands, users canmanage predefined and custom application
signatures and application signature groups, as follows:
• View detailed and summary information.
183Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• Copy, disable, andenablepredefinedapplication signatures formaximumflexibility
in the use and reuse of predefined application signatures and custom application
signatures.
• Createcustomapplicationsignaturesbycopyingapredefinedapplicationsignature
and using it as a template.
• CLI servicesapplication-identificationcommandsprovidemoreoptions for thedisplay
andconfigurationof customapplication signaturesandapplication signaturegroups.
• A new option insert-before customer-signature-name has been added to allow you
to move a custom application signature before a specific predefined application
signature or another custom application signature.
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS
Security Configuration Guide]
• Nested application identification enhancement—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
New application identification contexts have been added for more extensive nested
application matching.
Several new HTTP contexts have been added for application detection:
• http-get-url-parsed-param-parsed
• http-post-url-parsed-param-parsed
• http-post-variable-parsed
• http-header-user-agent
• http-header-cookie
AnSSL context is nowsupported that identifies a server name in a client or server hello
message.
• ssl-server-name
[Junos OS Security Configuration Guide ]
• Onbox application tracking statistics for AppTrack—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
This feature adds application-level statistics to the AppSecure suite. Application
statistics allow an administrator to access cumulative statistics as well as statistics
accumulated over user-defined intervals. The administrator can clear the statistics
and configure the interval values.
Bytes and session count statistics aremaintained. Because the statistics count occurs
at AppTrack session close event time, the byte and session counts are not updated
until the session closes.
SRX Series devices support a history of 8 intervals that an administrator can use to
display the application session and byte counts.
Copyright © 2011, Juniper Networks, Inc.184
Junos OS 11.4 Release Notes
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
Flow and Processing
• Central point session scaling—This feature is supported on SRX5800 devices only.
The central point was optimized to increase the total number of central point sessions
to 20million IPv4 sessions or 10million IPv6 sessions. This optimization trades
maximum attainable connections per second (CPS) for maximum number of central
point sessions.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
• Globalpolicy—This feature is supportedonSRX1400,SRX3400,SRX3600,SRX5600,and SRX5800 devices.
Unlike other security policies, global policies do not reference specific source and
destination zones (from-zoneand to-zone).Global policies allowyou to regulate traffic
with addresses and applications, regardless of their security zones. Global policies
reference user-defined addresses or the predefined address “any.” These addresses
can spanmultiple security zones.
[Junos OS Security Configuration Guide]
• Services offloading—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Services offloading is a mechanism for processing fast-path packets in the network
processor instead of in the Services Processing Unit (SPU). This method reduces the
long packet processing latency that arises when packets are forwarded from network
processors to SPUs for processing and back to I/O cards (IOCs) for transmission.
Services offloading considerably reduces packet processing latency by 500–600
percent.
When the first packet arrives at the interface, the network processor forwards it to the
SPU. If the SPU verifies that the traffic is qualified for services offloading, a
services-offload session is created on the network processor. If the traffic does not
qualify for services offloading, a normal session is created on the network processor.
If a services-offloadsession is created, the subsequent fast-pathpacketsareprocessed
in the network processor itself.
NOTE: A normal session forwards packets from the network processor totheSPUfor fast-pathprocessing,whileaservices-offloadsessionprocessesfast-path packets in the network processor and the packets exit out of thenetwork processor itself.
When a services-offload session is created on the network processor, subsequent
packets are matched with the session. The network processor then processes and
forwards the packets based on the session information, such as TCP sequence check,
time to live (TTL) processing, Network Address Translation (NAT), and Layer 2 header
translation.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
185Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
General Packet Radio Service (GPRS)
• GPRS tunneling protocol version 2 (GTPv2)—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.
GPRS tunneling protocol (GTP) establishes a GTP tunnel between a Serving GPRS
Support Node (SGSN) and a Gateway GPRS Support Node (GGSN) for individual
Mobile Stations (MS). Both GTP version 0 (GTPv0) and GTP version 1 (GTPv1) are
implemented using SGSNs and GGSNs only. However, in GTPv2 the traditional SGSNs
and GGSNs are replaced by three logical nodes—a serving gateway (SGW), a packet
data network gateway (PGW), and amobility management entity (MME).
You can enable GTPv2 by using the following CLI configuration statement:
set security gprs gtp enable
After configuring theabovestatement, youmust reboot thedevice forGTPv2 inspection
to take effect. To disable GTPv2, delete the security gprs gtp enable configuration
statement from the device.
NOTE: All GTPv2 features are supported on the device only if the security
gprs gtp enable command is configured on the device.
You can use the show security gprs gtp tunnels operational mode command to display
details about the existing GTPv2 tunnels configured on the device.
NOTE: IPv6 GTPv2 and GTPv2 for logical systems are not supported inJunos OS Release 11.4.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
Intrusion Detection and Prevention (IDP) and AppSecure
• IDPandapplication identificationsupport for jumboframes—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
The Intrusion Detection and Prevention (IDP) and application identification security
features support the larger jumbo frame size of 9192 bytes. Although jumbo frames
are enabled by default, you can adjust the maximum transmission unit (MTU) size by
using the set interfaces command.
For logging purposes, the total number of packets captured relative to an IDP attack
will decrease due to the larger packet size in a jumbo frame. The default value is five
packets before and five packets after the packet on which an IDP attack is identified.
Copyright © 2011, Juniper Networks, Inc.186
Junos OS 11.4 Release Notes
NOTE: Although CPU overhead can be reduced while processing jumboframes, the IDP feature itself requires aminimum of 5MB ofmemory forsession inspection. If the requiredmemory is not available, IDP will notinspect the applicable sessions. You can view IDP data planememory byusing the show security idpmemory command.
[Junos OS Feature Support Reference for SRX Series and J Series Devices, Junos OS
Security Configuration Guide]
• IDP attack description—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices for both J-Web and the CLI.
The IDP attack description feature enables users to use the CLI to learn more about
IDP attack objects. Currently, users view IDP attack objects in the
/var/db/idpd/sec-download/SignatureUpdate.xml file, which makes it difficult for
users to investigate andmanage IDP attack objects. Users can quickly and easily
administer IDP attack objects when the details are displayed through the CLI.
You can use the show security idp attack description and the show security idp attack
detail operational mode commands to display details about IDP attack objects.
[Junos OS CLI Reference]
IPv6 Support
• JunosOSapplication identifiction—This feature is supported onSRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.
Application firewall was previously supported in the IPv4 environment. Beginningwith
Junos OS Release 11.4, it is also supported on IPv6.
SRX Series devices provide additional security protection against known dynamic
applications that can send traffic thatmight not be adequately controlled by standard
network firewall policies. The application firewall functionality enforces policies based
on the results of the application identification process. The application identification
process identifiesapplicationsusingpatternmatching,protocoldecoding,andheuristics.
To implement application firewall support:
• Network security policy–Modify the policy configuration to support the application
firewall rule set within the existing configuration.
• Application firewall rule set–Define an application firewall rule set to be referenced
by the network security policy.
[Junos OS Security Configuration Guide]
• Web authentication—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Web authentication now supports IPv6 addresses.
[Junos OS Security Configuration Guide]
187Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• Firewall authentication—This feature is supportedonSRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Firewall authentication now supports IPv6 addresses.
[Junos OS Security Configuration Guide]
J-Web
• Customer branding of firewall authentication webpage—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
JuniperNetworksenables theadministrator to replace theembedded JuniperNetworks
logo present on the firewall authentication webpage with a customer graphic. It also
provides the ability to create a different logo for different logical systems.
• AppQoSmonitoring—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices
A new Application QoSMonitoring J-Web page allows you to view counters and
statistics for AppQoS activity. The rate limiters statistics pane displays transfer rate
information for recent traffic per PIC. The rules statistics pane displays the amount of
traffic on each PIC broken down by the rule set and rule applied to each session.
Counters for selected rule-sets display AppQoS session activity per PIC.
• IDPmonitoring—This feature issupportedonSRX1400,SRX3400,SRX3600,SRX5600,and SRX5800 Services Gateways.
The following pages have been added to the J-Web user interface:
• Attacks Monitoring page
• Applications Monitoring page
• IDPperformance inJ-Web—IDPperformance in J-Webhasbeen improved forSRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Logical Systems
• The logical systems feature isnowsupportedonSRX1400devices inaddition toexisting
support on SRX3400, SRX3600, SRX5600, and SRX5800 devices.
[Junos OS Logical Systems Configuration Guide for Security Devices]
• J-Webuserand interconnect logical systemsconfiguration—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
When you are logged in to the device as the master administrator, you can configure
logical systems on the Logical System Configuration page. The Logical System
Information page displays information about the logical systems configured on the
device.
When you are logged in to the device as a user logical system administrator, the
following tabs are available to you:
• Dashboard tab—Displays the resources allocated to the logical system.
Copyright © 2011, Juniper Networks, Inc.188
Junos OS 11.4 Release Notes
• Configure tab—Allows you to configure interfaces, NAT, and security features for
the user logical system.
• Monitor tab—Allowsyou tomonitor theconfigured featuresof theuser logical system.
• CPUusage allocation and control—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.
In Junos OS Release 11.4, the master administrator can configure and control CPU
utilizationby logical systems. Themaster administrator enablesCPUutilization control
with the cpu-control configuration statement at the [edit system security-profile
resources] hierarchy level.
When CPU utilization control is enabled, the master administrator can configure the
following CPU utilization parameters:
• Reserved quota of CPU utilization, in percent, is specified for each logical system.
The reserved quota guarantees that a specified percentage of the CPU is always
available to the logical system. Themaster administrator specifies the reservedCPU
quota in a logical system security profile with the cpu reserved configuration
statement at the [edit system security-profiles profile-name] hierarchy level. The
security profile is applied to one or more logical systems.
If CPU control is enabled and reserved CPU quotas are not configured, the default
reserved quota for the master logical system is 1 percent and the default reserved
quota for user logical systems is 0 percent.
• CPU control target is the upper limit, in percent, for CPU utilization under normal
operating conditions. If the overall CPU utilization surpasses the configured target
value, the Junos OS software initiates controls to bring CPU utilization between the
target value and 90 percent of the target value. During runtime, CPU utilization by
each logical system is measured every two seconds. Dropping packets is used to
reduce the CPU usage for a particular logical system. If the CPU usage of a logical
systemexceeds its quota, CPU utilization control drops the packets received on that
logical system. The packet rate is calculated every two seconds based on CPU
utilization of all logical systems.
Themaster administrator configures the CPU control target with the
cpu-control-target configuration statement at the [edit system security-profile
resources] hierarchy level. The default CPU control target is 80 percent.
The sum of the reserved CPU quotas for all logical systems on the devicemust be less
than 90 percent of the CPU control target; the difference is a shared CPU resource
that can be allocated among the logical systems that need additional CPU allocation.
The actual CPU quota that a single logical system can use is the sum of its reserved
CPU quota and its portion of the shared CPU resource.
[Junos OS Logical Systems Configuration Guide for Security Devices]
• VPN tunnel—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600,and SRX5800 devices.
This feature allows themaster logical systemand a user logical system to share a VPN
tunnel in a route-basedVPN. Themaster administratormust assign the security tunnel
189Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
(st0) interface to a user logical system. Themaster administrator configures IKE and
IPsecSAparametersat the root level. Theuser logical systemadministrator canchange
theattributesof the st0 interface. To send traffic into the tunnel, theuser logical system
administrator configures a security policy to permit traffic to a remote destination and
a route with the st0 as the next hop.
NOTE: Only route-based VPNs are supported for logical systems.Policy-based VPNs are not supported.
Themaster administrator assigns an st0 interface to a user logical systemwith the
st0 unit number configuration statement at the [edit logical-systems name interfaces]
hierarchy level. Themaster administrator configures IKEand IPsec in themaster logical
systemwith the VPN configuration at the [edit security ipsec] hierarchy level. VPN
monitoring can be configured by the master administrator at the root level. For the
VPNmonitor source interface, themaster administratormust specify the st0 interface;
a physical interface for a user logical system cannot be specified.
The user logical system administrator can set attributes for the st0 interface, such as
an IP address, at the [edit interfaces st0 unit number] hierarchy level. The user logical
systemadministratorconfiguressecuritypolicieswith thepolicyconfigurationstatement
at the [edit security policies from-zone zone to-zone zone] hierarchy level and static
routes with the static route configuration statement at the [edit routing-options]
hierarchy level.
[Junos OS Logical Systems Configuration Guide for Security Devices]
• IDP—This feature is supported on SRX1400, SRX3400, SRX3600, SRX5600, andSRX5800 devices.
This feature allows themaster administrator to configure IDP policies for user logical
systems. Themaster administrator can create one or more IDP policies at the root
level using intrusion prevention system (IPS) or application-level distributed
denial-of-service (DDoS) rulebases. Themaster administrator specifies the IDP policy
in a logical system security profile that is bound to one or more user logical systems.
NOTE: In JunosOSRelease 11.4, user logical systemadministrators cannotcreate ormodify IDPpolicies for their user logical systems.Only themasteradministrator can create IDP policies.
Asingle IDPsecuritypackage is installedon thedevice for all logical systems.An idp-sig
license must be installed at the root level.
Themaster administrator configures an IDP policy at the root level using the idp-policy
configuration statement at the [edit security idp] hierarchy level. To specify the IDP
policy in a logical system security profile, the master administrator uses the idp-policy
configuration statement at the [edit system security-profile profile-name] hierarchy
level.
[Junos OS Logical Systems Configuration Guide for Security Devices]
Copyright © 2011, Juniper Networks, Inc.190
Junos OS 11.4 Release Notes
• IPv6 addresses in logical systems—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.
In Junos OS Release 11.4, IPv6 addresses can be configured in logical systems for the
following features:
• Interfaces
• Flows
• Zones and security policies
• Screen options
• Network address translation (except for interface NAT)
• Administrative operations with telnet, ssh, https, and other utilities
• Chassis clusters
[Junos OS Logical Systems Configuration Guide for Security Devices]
• Logical system name in security logs—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Security logs are system logmessages that include security events. If a device is
configured for logical systems, security logs generated within the context of a logical
system use the name logname_LS (for example, IDP_ATTACK_LOG_EVENT_LS). The
logical system version of a log has the same set of attributes as the log for devices that
are not configured for logical systems, but it also includes logical-system-name as the
first attribute. If a device is configured for logical systems, log parsing scripts might
need to bemodified because the log name includes the _LS suffix and the
logical-system-name attribute can be used to segregate logs by logical system.
If a device is not configured for logical systems, the security logs remain unchanged
and scripts built to parse logs do not need anymodification.
NOTE: Only themaster administrator can configure logging at the [edit
security log] hierarchy level. User logical system administrators cannot
configure logging for their logical systems.
[Junos OS Logical Systems Configuration Guide for Security Devices]
• Data path debugging for traffic between logical systems—This feature is supportedon SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
Datapathdebuggingprovides tracinganddebuggingatmultipleprocessingunits along
the packet-processing path. Data path debugging can also be performed on traffic
between logical systems. Only the master administrator can configure data path
debugging for logical systems at the [edit security datapath-debug] hierarchy level.
User logical system administrators cannot configure data path debugging for their
logical systems.
191Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
When tracing is configured for the jexec event type, the trace output contains logical
system information. Themaster administrator can also configure tracing for traffic
between logical systems by specifying the lt-enter and lt-leave event types. The trace
output shows traffic entering and leaving the logical tunnel between logical systems.
The preserve-trace-order option can be configured to sort the output chronologically.
Inaddition to the traceaction, otheractionssuchaspacket-dumpandpacket-summary
can be configured for the lt-enter and lt-leave events.
[Junos OS Logical Systems Configuration Guide for Security Devices]
• Multicast traffic—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Multicast is a “one source, many destinations” method of traffic distribution, meaning
that thedestinationsneeding to receive the information fromaparticular source receive
the traffic stream. In Junos OS Release 11.4, the master and user logical system
administrators can configure a logical system to support multicast applications. The
samemulticast configurations to configure a device as a node in a multicast network
can be used in a logical system.
[Junos OS Routing Protocols and Policies Configuration Guide for Security Devices]
• Application firewall support on logical systems—This feature is supported onSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
The Juniper Networks application firewall enables administrators of logical systems
tocreate security policies for traffic basedon the results of theapplication identification
engine. The application firewall policy provides additional security protection against
dynamic application traffic that might not be adequately controlled by standard
network firewall policies.
Configuring an application firewall policy on a logical system is the same process as
configuring an application firewall policy on a device that is not configuredwith logical
systems. However, the application firewall policy applies only to the logical system for
which it is configured. Themaster administrator can configure, enable, andmonitor
application firewall policies on themaster logical system and all user logical systems
on a device. The user logical systemadministrators can configure, enable, andmonitor
an application firewall policy only on the user logical systems for which they have
access.
To implement this feature:
• Network security policy—Themaster administrator defines a security profile and
allocates a number of system resources for use by logical systems on the device. In
this case, the application firewall resources (appfw-rule-set and appfw-rule) are
added to the security profile, and the security profile is bound to a logical system.
Themasteradministratoranduser logical systemadministratorsadd theapplication
firewall configuration to the security policy for their respective logical systems.
• Application firewall—Themasteradministratoranduser logical systemadministrators
configure andmanage application firewall rule sets and rules for their respective
logical systems.
[Junos OS Logical Systems Configuration Guide for Security Devices]
Copyright © 2011, Juniper Networks, Inc.192
Junos OS 11.4 Release Notes
Network Address Translation (NAT)
• Configurable capacity for source NAT pools with PAT—On SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices, the capacity of source NAT pools and IP
addresses has been increased to supportmore users.When Port Address Translations
(PAT) are set for each IP address, automatic checks ensure memory limits are not
exceeded.
[Junos OS Security Configuration Guide, Junos OS CLI Reference]
Security
• GTP IE removal—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Themultiple versions of the Third-Generation Partnership Project (3GPP) create
interoperabilityproblems in themobilenetwork. JunosOSRelease 11.4 supports removal
of R7, R8, and R9 information elements (IEs) of the GTPv1 messages, which allows
you to retain interoperability.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
• Aggressivesessionaging—This feature is supportedonSRX1400,SRX3400,SRX3600,SRX5600, and SRX5800 devices.
The aggressive session aging mechanism accelerates the session timeout process
when the number of sessions in the session table exceeds a specified high-watermark
threshold.Thisminimizes the likelihoodof theSRXSeriesdevices rejectingnewsessions
when the session table is full.
[Junos OS Security Configuration Guide]
• EZchip low latency—This feature is supported on SRX1400, SRX3400, SRX3600,SRX5600, and SRX5800 devices.
Thehigh-endSRXSeriesdevicescurrentlyhave longpacket-processing latencybecause
of packet processing through the Services Processing Unit (SPU) and through several
stages of buffers in the data path.
This feature introduces a local forwarding solution where the fast-path packets are
processedby theEZchip on the I/OCard (IOC),without going through the switch fabric
or the SPU. This solution reduces latency. The user needs to have a permanent
low-latency firewall license to enable this feature on the chassis.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
• Security policies for self-traffic—This feature is supported on SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices.
Users can now configure security policies for the self-traffic (the host inbound traffic
or the host outbound traffic) of the device. The user can further apply relevant services
to the new self-traffic policy.
The security policies for the self-traffic are configured under the new default security
zone called junos-host zone.
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
193Copyright © 2011, Juniper Networks, Inc.
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways
VPN
• Internet Key Exchange version 2(IKEv2)—This feature is supported on SRX1400,SRX3400, SRX3600, SRX5600, and SRX5800 devices.
IKEv2 is the next-generation standard for secure key exchange between peer devices,
defined in RFC 4306. IKEv2 is available in Junos OS Release 11.4, for securing IPsec
traffic. The initial release does not support all the capabilities described in the RFCs.
The advantages of using version 2 over version 1 are as follows;
• Simplifies the existing IKEv1
• Single RFC, including NAT-T, EAP and remote address acquisition
• Replaces the 8 initial exchanges with a single 4-message exchange
• Reduces the latency for the IPsec SA setup and increases connection establishment
speed
• Increases robustness against DoS attack
• Improves reliability through the use of sequence numbers, acknowledgements, and
error correction
• Provides forward compatibility
• Provides simple cryptographic mechanisms
IKEv2 includes support for:
• Route-based VPN
• Site-to-site VPN
• Dead peer detection (liveness check)
• Chassis cluster
• Certificate-based authentication
• Hardware offloading of the ModExp operations in a Diffie-Hellman (DH) exchange
• IKE and child SA rekeying—In IKEv2, a child security association (SA) cannot exist
without the underlying IKE SA. If a child SA is required, it will be rekeyed; however, if
the child SAs are currently active, the corresponding IKE SA will be rekeyed.
• IKE version 1 and IKE version 2
[Junos OS CLI Reference, Junos OS Security Configuration Guide]
• Site-to-siteVPNsupport forNAT-T—This feature is supportedonSRX1400,SRX3400,SRX3600, SRX5600, and SRX5800 devices.
Site-to-site IKE gateway configuration for Network Address Translation-Traversal
(NAT-T) is now supported on the server side (IKE responder). This is in addition to the
current implementation of NAT-T support for dynamic IKE gateway configuration. A
Copyright © 2011, Juniper Networks, Inc.194
Junos OS 11.4 Release Notes
remote-identity value is used to validate apeer’s ike-idor idduringPhase 1 of IKE tunnel
negotiation.
[Junos OS Security Configuration Guide]
SNMP
• Juniper Networks enterprise-specific LicenseMIB—This feature is supported onSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices.This featureextends
SNMP support for licensing information.
The enterprise-specific License MIB:
• Contains information about license features and the expiration details to reduce the
burden involved in managing licenses.
• Generates traps to alert users. For example, an alert is generated when a license
expires or when the total number of users exceeds the maximum number specified
in the license.
• Provides access to license-related information through the SNMP get and get-nextoperations.
[JunosOSSNMPMIBs and Traps Reference;MIB Reference for SRX1400, SRX3400, and
SRX3600 Services Gateways;MIB Reference for SRX5600 and SRX5800 Services
Gateways]
RelatedDocumentation
Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 212
•
• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
on page 217
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 195
• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 198
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX SeriesServices Gateways
The following current system behavior, configuration statement usage, and operational
mode command usagemight not yet be documented in the Junos OS documentation:
195Copyright © 2011, Juniper Networks, Inc.
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX Series Services Gateways
AppSecure Application Package Upgrade Changes
• Application signatures removed after upgrading to Junos OS Release 11.4—Thischange applies to SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices
that use the application identification signature package.
In JunosOSRelease 11.4, theapplication signaturepackage isdownloadedand installed
in a separate database, not in the Junos OS configuration file as in previous Junos OS
releases.
When you upgrade an SRX Series device from Junos OS Release 11.2 to Junos OS
Release 11.4, any predefined application signatures and signature groups from the
Junos OS Release 11.2 configuration will be removed when you install the latest
predefined signatures and signature groups by using the request servicesapplication-identification install command. However, the upgrade will not removecustom signatures and signature groups from the Junos OS configuration.
For informationaboutusing the requestservicesapplication-identificationdownloadand request services application-identification install commands, see the Junos OSCLI Reference.
General Packet Radio Service (GPRS)
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices in active/active
chassis cluster mode with GPRS enabled, the seq-number-validated command is
disabled in GTP profile and nomore available for configuration.
Intrusion Detection and Prevention (IDP)
• OnSRX3400,SRX3600,SRX5600,andSRX5800devices, foradynamicattackgroup
using the direction filter, the expression AND should be used in the exclude values. As
is the case with all filters, the default expression is OR. However, there is a choice of
AND in the case of the direction filter.
For example, if you want to choose all attacks with the direction client-to-server,
configure the direction filter using the set security idp dynamic-attack-groupdyn1 filters
direction values client-to-server command.
In the case of chain attacks, each of the multiple members has its own direction. If a
policy includes chain attacks, a client-to-server filter selects all chain attacks that have
any member with client-to-server as the direction. This means chain attacks that
includememberswith server-to-client or ANY as the direction are selected if the chain
has at least onemember with client-to-server as the direction.
To prevent these chain attacks from being added to the policy, configure the dynamic
group as follows:
• set security idp dynamic-attack-group dyn1 filters direction expression and
• set security idp dynamic-attack-group dyn1 filters direction values client-to-server
Copyright © 2011, Juniper Networks, Inc.196
Junos OS 11.4 Release Notes
• set security idp dynamic-attack-group dyn1 filters direction values
exclude-server-to-client
• set security idp dynamic-attack-group dyn1 filters direction values exclude-any
IPv6
• Onall SRXand JSeriesdevices, anewconfigurationoption for IPv6NeighborDiscovery
Protocol (NDP) is added. This option will prevent the device from responding to a
Neighbor Solicitation (NS) from a prefix which was not included as one of the device
interface prefixes.
The new command is:
set protocol neighbor-discovery onlink-subnet-only
NOTE: The Routing Engine needs to be rebooted after setting this optionto remove any possibility of a previous IPv6 entry from remaining in theforwarding-table.
Management Information Base (MIB)
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, in a chassis
cluster environment, the calculation of the primary and secondary node sessions in
the JnxJsSPUMonitoringObjectsTable object of the SPUmonitoring MIB is incorrectbecause the MIB jnxJsSPUMonitoringCurrentTotalSession incorrectly displays totalsessions. A doubled session count is displayed because the active and backup nodes
are treated as separate sessions, although they are not.
Count only the session numbers on the local node, thereby avoiding a double count,
and local total sessions are displayed.
In a chassis cluster environment, the SPUMonitoringCurrentTotalSession object ofthe MIB adds information per each SPU from the local node.
[MIB Reference for SRX1400, SRX3400, and SRX3600 Services Gateways;MIB Reference
for SRX5600 and SRX5800 Services Gateways]
197Copyright © 2011, Juniper Networks, Inc.
Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Multicast
• OnSRX1400, SRX3400, SRX3600, SRX5600andSRX5800devices, if themaximum
number of leaves on amulticast distribution tree is exceeded, multicast sessions are
created up to themaximumnumber of leaves, and anymulticast sessions that exceed
themaximum number of leaves are ignored. In previous releases, no multicast traffic
was forwarded if the maximum number of leaves on themulticast distribution tree
was exceeded. Themaximum number of leaves on amulticast distribution tree is
device specific.
Security
• Public key infrastructure (PKI) objects include certificates, key pairs, and certificate
revocation lists (CRLs). PKI objects are read from the PKI database when the PKI
daemon (PKID) starts. The PKID database loads all certificates into memory at boot
time.
When an object is read into memory from the PKI database, the following new log
message is created:
PKID_PV_OBJECT_READ: A PKI object was read intomemory from <location>
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 212
• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
on page 217
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 198
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
AppSecure
• When you create custom application or nested application signatures for Junos OS
application identification, the order value must be unique among all predefined and
custom application signatures. The order value determines the application matching
priority of the application signature.
The order value is set with the set services application-identification application
application-name signature order command. You can also view all signature order
valuesbyentering the showservicesapplication-identification |displayset |matchorder
command. You will need to change the order number of the custom signature if it
conflicts with another application signature.
• J-Web pages for AppSecure are preliminary.
Copyright © 2011, Juniper Networks, Inc.198
Junos OS 11.4 Release Notes
• Custom application signatures and custom nested application signatures are not
currently supported by J-Web.
• AppFW does not operate on ALG data sessions. As a result, the AppFW rules are not
applicable to these sessions. Therefore, ALG data sessions are excluded from AppFW
counters.
Chassis Cluster
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices in a chassis cluster, only
four QoS queues are supported per reth/ae interface.
• In large chassis cluster configurations on SRX3400 or SRX3600 devices, you need to
increase the wait time before triggering failover. In a full-capacity implementation, we
recommend increasing the wait to 8 seconds by modifying heartbeat-threshold and
heartbeat-interval values in the [edit chassis cluster] hierarchy.
The product of the heartbeat-threshold and heartbeat-interval values defines the time
before failover. The default values (heartbeat-threshold of 3 beats and
heartbeat-interval of 1000milliseconds) produce a wait time of 3 seconds.
To change the wait time, modify the option values so that the product equals the
desired setting. For example, setting the heartbeat-threshold to 8 andmaintaining the
default value for the heartbeat-interval (1000milliseconds) yields a wait time of
8 seconds. Likewise, setting the heartbeat-threshold to 4 and the heartbeat-interval to
2000milliseconds also yields a wait time of 8 seconds.
• Packet-based forwarding forMPLSand InternationalOrganization for Standardization
(ISO) protocol familes is not supported.
• On SRX Series devices, only two of the 10 ports on each PIC of 40-port 1-Gigabit
Ethernet I/O cards (IOCs) for SRX5600 and SRX5800 devices can simultaneously
enable IP addressmonitoring. Because there are four PICs per IOC, this permits a total
of eight ports per IOC to bemonitored. If more than two ports per PIC on 40-port
1-Gigabit Ethernet IOCs are configured for IP address monitoring, the commit will
succeed but a log entry will be generated, and the accuracy and stability of IP address
monitoring cannot be ensured. This limitation does not apply to any other IOCs or
devices.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IP address
monitoring is not permitted on redundant Ethernet interface link aggregation groups
(LAGs) or on child interfaces of redundant Ethernet interface LAGs.
• OnSRX1400, SRX3000 andSRX5000 line chassis clusters, screen statistics data can
be gathered on the primary device only.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, ISSU does not
support version downgrading.
• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, only redundant
Ethernet interfaces (reth) are supported for IKE external interface configuration in
IPsec VPN. Other interface types can be configured, but IPsec VPNmight not work.
199Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Dynamic Host Configuration Protocol (DHCP)
• SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices do not support
DHCPv6 client authentication.
Dynamic VPN
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, DH-group 14 is
not supported for dynamic VPN.
Flow and Processing
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when
packet-logging functionality is configured with an improved pre-attack configuration
parameter value, the resource usage increases proportionally andmight affect the
performance.
• Services offloading has the following limitations on SRX1400, SRX3400, SRX3600,
SRX5600, and SRX5800 devices:
• Transparent mode is not supported. If transparent mode is configured, a normal
session is installed.
• Link aggregation group (LAG) is not supported. If a LAG is configured, a normal
session is installed.
• Only multicast sessions with one fan-out are supported. If a multicast session with
more than one fan-out exists, a normal session is installed.
• Only active/passive chassis cluster (HA) configuration is supported. Active/active
chassis cluster configuration is not supported.
• Fragmentedpacketsarenot supported. If fragmentedpacketsexist, anormal session
is installed.
• Ingress and egress interfaces on different network processors are not supported. If
an ingress interface and the related egress interface do not belong to the same
network processor, a normal session is installed on the network processor.
• IP version6 (IPv6) is not supported. If IPv6 is configured, a normal session is installed.
NOTE: A normal session forwards packets from the network processor tothe Services Processing Unit (SPU) for fast-path processing, while aservices-offload session processes fast-path packets in the networkprocessor and the packets exit out of the network processor itself.
• OnSRX3400,SRX3600,SRX5600, andSRX5800devices, thedefault authentication
table capacity is 45,000; the administrator can increase the capacity to amaximum
of 50,000.
Copyright © 2011, Juniper Networks, Inc.200
Junos OS 11.4 Release Notes
• On SRX1400 devices, the default authentication table capacity is 10,000; the
administrator can increase the capacity to amaximum of 15,000.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when devices
are operating in flowmode, the Routing Engine side cannot detect the pathmaximum
transmission unit (PMTU) of an IPv6multicast address (with a large size packet).
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, you cannot
configure route policies and route patterns in the same dial plan.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, high CPU
utilization triggered for reasons such as CPU intensive commands and SNMPwalks
causes the Bidirectional Forwarding Detection protocol (BFD) to flapwhile processing
large BGP updates.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, downgrading
is not supported in low-impact ISSU chassis cluster upgrades (LICU).
• On SRX5800 devices, network processing bundling is not supported in Layer 2
transparent mode.
Hardware
This section covers filter and policing limitations.
• On SRX1400, SRX3400 and SRX3600 devices, the following feature is not supported
by a simple filter:
• Forwarding class as match condition
• OnSRX1400,SRX3400andSRX3600devices, the following featuresarenotsupported
by a policer or a three-color-policer:
• Color-aware mode of a three-color-policer
• Filter-specific policer
• Forwarding class as action of a policer
• Logical interface policer
• Logical interface three-color policer
• Logical interface bandwidth policer
• Packet loss priority as action of a policer
• Packet loss priority as action of a three-color-policer
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following
features are not supported by a firewall filter:
• Policer action
• Egress filter-based forwarding (FBF)
• Forwarding table filter (FTF)
201Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• Egress filter-based forwarding (FBF) within the same zone over IP-IP and generic
routing encapsulation (GRE) tunnel is not supported.
• If egress FBF redirects a packet to a zone that is different from the original obtained
from the previous route lookup and flow processing, then the packet is dropped.
• SRX3400 and SRX3600 devices have the following limitations of a simple filter:
• Forwarding class as match condition
• In the packet processor on an IOC, up to 100 logical interfaces can be applied with
simple filters.
• In thepacket processor onan IOC, themaximumnumber of termsof all simple filters
is 4000.
• In the packet processor on an IOC, the maximum number of policers is 4000.
• In the packet processor on an IOC, the maximum number of three-color-policers is
2000.
• Themaximum burst size of a policer or three-color-policer is 16 MB.
• OnSRX3400andSRX3600devices, when you enable themonitor traffic option using
themonitor traffic command tomonitor the FXP interface traffic, interface bounce
occurs. Youmust use themonitor traffic interface fxp0 no-promiscuous command to
avoid the issue.
Interfaces and Routing
• OnSRX3000 and SRX5000 line devices, the set protocols bgp family inet flow and set
routing-options flow CLI statements are no longer available, because BGP flow spec
functionality is not supported on these devices.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the Link
Aggregation Control Protocol (LACP) is not supported on Layer 2 interfaces.
• On SRX1400, SRX3400, SRX3600, SRX5600 and SRX5800 devices, BGP-based
virtual private LAN service (VPLS) over aggregated Ethernet (ae) interfaces is not
supported. It works on child ports and physical interfaces.
Internet Key Exchange Version 2 (IKEv2)
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, IKEv2 does not
include support for:
• Policy-based tunnels
• Dial-up tunnels
• Network Address Translation-Traversal (NAT-T)
• VPNmonitoring
Copyright © 2011, Juniper Networks, Inc.202
Junos OS 11.4 Release Notes
• Next-Hop Tunnel Binding (NHTP) for st0—Reusing the same tunnel interface for
multiple tunnels
• Extensible Authentication Protocol (EAP)
• IPv6
• Multiple child SAs for the same traffic selectors for each QoS value
• Proposal enhancement features
• Reuse of Diffie-Hellman (DH) exponentials
• Configuration payloads
• IP Payload Compression Protocol (IPComp)
• Dynamic Endpoint (DEP)
Intrusion Detection and Prevention (IDP)
• On SRX3400, SR3600, SRX5600, and SRX5800 devices, from Junos OS Release 11.2
and later, the IDP security package is based on the Berkeley database. Hence, when
the Junos OS image is upgraded from Junos OS Release 11.1 or earlier to Junos OS 11.2
or later, a migration of IDP security package files needs to be performed. This is done
automatically on upgradewhen the IDP daemon comes up. Similarly, when the image
is downgraded, a migration (secDb install) is automatically performed when the IDP
daemon comes up, and previously installed database files get deleted. However,
migration is dependent on the XML files for the installed database to be present on
the device. For first-time installation, full update files are required. If the last update
on the devicewas an incremental update,migrationmight fail. In such a case, you have
to manually download and install the IDP security package using the download or
install CLI command before using the IDP configuration with predefined attacks or
groups.
Workaround: Use the CLI command request security idp security-package download
full-update to manually download the individual components of the security package
from the Juniper Security Engineering portal before upgrading or downgrading the
image in the previous case.
• OnSRX1400, SRX3400, SRX3600, SRX5600, andSRX5800devices, the IDP policies
for each user logical system are compiled together and stored on the data plane
memory. To estimate adequate data planememory for a configuration, consider these
two factors:
• IDP policies applied to each user logical system are considered unique instances
because the ID and zones for each user logical system are different. Estimates need
to take intoaccount the combinedmemory requirements for all user logical systems.
• As the application database increases, compiled policies will require morememory.
Memory usage should be kept below the available data planememory to allow for
database increases.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, ingress as
ge-0/0/2 and egress as ge-0/0/2.100 works with flow showing both source and
destination interface as ge-0/0/2.100.
203Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• IDP does not allow header checks for nonpacket contexts.
• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, application-level
distributed denial-of-service (application-level DDoS) detection does not work if two
ruleswithdifferentapplication-levelDDoSapplicationsprocess traffic going toasingle
destination application server. When setting up application-level DDoS rules, make
sure that you do not configure rulebase-ddos rules that have two different
application-ddosobjectswhen the trafficdestined tooneapplicationserver canprocess
more than one rule. Essentially, for each protected application server, you have to
configure the application-level DDoS rules so that traffic destined for one protected
server processes only one application-level DDoS rule.
NOTE: Application-level DDoS rules are terminal, whichmeans that oncetraffic is processed by one rule, it will not be processed by other rules.
The following configuration options can be committed, but theywill notwork properly:
ApplicationServerapplication-ddosservicedestination-ipdestination-zonesource-zone
1.1.1.1:80http-appddos1httpanydst-1source-zone-1
1.1.1.1:80http-appddos2httpanydst-1source-zone-2
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, application-level DDoS
rule base (rulebase-ddos) does not support port mapping. If you configure an
application other than default, and if the application is from either predefined Junos
OS applications or a custom application that maps an application service to a
nonstandard port, application-level DDoS detection will not work.
When you configure the application setting as default, intrusion detection and
prevention (IDP) uses application identification to detect applications running on
standard and nonstandard ports; thus, the application-level DDoS detection would
work properly.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, all IDP policy
templates are supported except All Attacks. There is a 100-MB policy size limit for
integratedmode and a 150-MB policy size limit for dedicatedmode. The current IDP
policy templates supported are dynamic, based on the attack signatures being added.
Therefore, be aware that supported templates might eventually grow past the
policy-size limit.
On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following
IDP policies are supported:
• DMZ_Services
• DNS_Service
• File_Server
Copyright © 2011, Juniper Networks, Inc.204
Junos OS 11.4 Release Notes
• Getting_Started
• IDP_Default
• Recommended
• Web_Server
• IDPdeployed inbothactive/activeandactive/passive chassis clusters has the following
limitations:
• No inspection of sessions that fail over or fail back.
• The IP action table is not synchronized across nodes.
• TheRouting Engine on the secondary nodemight not be able to reach networks that
are reachable only through a Packet Forwarding Engine.
• The SSL session ID cache is not synchronized across nodes. If an SSL session reuses
a session ID and it happens to be processed on a node other than the one on which
the session ID is cached, the SSL session cannot be decrypted andwill be bypassed
for IDP inspection.
• IDP deployed in active/active chassis clusters has a limitation that for time-binding
scope source traffic, if attacks from a source (with more than one destination) have
activesessionsdistributedacrossnodes, then theattackmightnotbedetectedbecause
time-bindingcountinghasa local-node-only view.Detecting this sort ofattack requires
an RTO synchronization of the time-binding state that is not currently supported.
Internet Protocol Security (IPsec)
• On SRX Series devices, when you enable VPN, overlapping of the IP addresses across
virtual routers (VRs) is supported partially with following limitations:
• An IKE external interface address cannot overlap with any other VR.
• An internal/trust interface address can overlap across VRs.
• An st0 interface address cannot overlap in route-based VPN in point-to-multipoint
tunnel such as NHTB.
• An st0 interface address can overlap in route-based VPN in point-to-point tunnel.
IPv6 IPsec
IPv6 IPsec implementation has the following limitations:
• IPv6 routers do not perform fragmentation. IPv6 hosts should either perform path
maximum transmission unit (PMTU) discovery or send packets smaller than the IPv6
minimumMTU size of 1280 bytes.
• Because IPv6 addresses are 128 bits long compared to IPv4 addresses, which are
32-bits long, IPv6 IPsec packet processing requiresmore resources. Therefore, a small
performance degradation is observed.
205Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• IPv6 uses more memory to set up the IPsec tunnel. Therefore, the IPsec IPv4 tunnel
scalability numbers might drop.
• The addition of IPv6 capability might cause a drop in the IPsec IPv4-in-IPv4 tunnel
throughput performance.
• The IPv6 IPsec VPN does not support the following functions:
• 4in6 and 6in4 policy-based site-to-site VPN, IKE
• 4in6 and 6in4 route-based site-to-site VPN, IKE
• 4in6 and 6in4 policy-based site-to-site VPN, Manual Key
• 4in6 and 6in4 route-based site-to-site VPN, Manual Key
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, IKE
• 4in4, 6in6, 4in6, and 6in4 policy-based dial-up VPN, Manual Key
• RemoteAccess—XAuth, configmode, andshared IKE identitywithmandatoryXAuth
• IKE authentication—public key infrastructure/digital signature algorithm (PKI/DSA)
• IKE peer type—Dynamic IP
• Chassis cluster for basic VPN features
• IKE authentication—PKI/RSA
• NAT—Traversal
• VPNmonitoring
• Hub-and-spoke VPNs
• Next Hop Tunnel Binding Table (NHTB)
• Dead Peer Detection (DPD)
• Simple Network Management Protocol (SNMP) for IPsec VPNMIBs
• Chassis cluster for advanced VPN features
• IPv6 link-local address
• SRX Series high-end devices (for example, SRX3000 and SRX5000 lines)
dependency
IPv6 Support
• NSM—Consult the Network and Security Manager (NSM) release notes for versioncompatibility, requiredschemaupdates, platform limitations, andother specificdetails
regarding NSM support for IPv6 addressing on SRX3400, SRX3600, SRX5600, and
SRX5800 devices.
Copyright © 2011, Juniper Networks, Inc.206
Junos OS 11.4 Release Notes
• Security policy—IDP for IPv6 sessions is supported only for SRX1400, SRX3400,SRX3600, SRX5600, and SRX5800 devices. UTM for IPv6 sessions is not supported.
If your current security policy uses rules with the IP address wildcard any, and UTM
features are enabled, you will encounter configuration commit errors because UTM
features do not yet support IPv6 addresses. To resolve the errors, modify the rule
returning the error so that it uses the any-ipv4 wildcard; and create separate rules for
IPv6 traffic that do not include UTM features.
J-Web
• J-Web browser support compatibility for Dell PowerConnect SRX Series and SRXSeries Devices—To access J-Web for all platforms, your device requires the followingsupported browsers and OS:
• To access the J-Web interface, your management device requires the following
software:
• Supported browsers—Microsoft Internet Explorer version 7.0 or Mozilla Firefox
version 3.0
• Language support—English-version browsers
• Supported OS—Microsoft Windows XP Service Pack 3
• If the device is running the worldwide version of the Junos OS and you are using the
Microsoft Internet Explorer Web browser, youmust disable the Use SSL 3.0 option in
theWeb browser to access the device.
• To use the Chassis View, a recent version of Adobe Flash that supports ActionScript
and AJAX (Version 9) must be installed. Also note that the Chassis View is displayed
by default on the Dashboard page. You can enable or disable it using options in the
Dashboard Preference dialog box, but clearing cookies in Internet Explorer also causes
the Chassis View to be displayed.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, in the J-Web interface,
there is no support for changing the T1 interface to an E1 interface or vice versa. As a
workaround, use the CLI to convert from T1 to E1 and vice versa.
• OnSRX3400, SRX3600, SRX5600, and SRX5800devices, users cannot differentiate
between Active and Inactive configurations on the System Identity, Management
Access, User Management, and Date & Time pages.
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, you cannot use J-Web to
configure a VLAN interface for an IKE gateway. VLAN interfaces are not currently
supported for use as IKE external interfaces.
207Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Logical Systems
• Themaster logical systemmust not be bound to a security profile that is configured
with a 0 percent reserved CPU quota as traffic loss could occur. When upgrading an
SRX1400,SRX3400,SRX3600,SRX5600,orSRX5800device fromJunosOSRelease
11.2, make sure that the reserved CPU quota in the security profile that is bound to the
master logical system is configured for 1 percent or more. After upgrading from Junos
OS Release 11.2, the reserved CPU quota is added to the default security profile with
a value of 1 percent.
• Startingwith JunosOSRelease 11.2, address books can be defined under the [security]
hierarchy level insteadof the [security zones] hierarchy level. This enhancementmakes
configuring your network simpler by allowing you to share IP addresses in address
books when configuring features such as security policies and NAT. You can attach
zones to address books—this is known as zone-attached configuration.
Junos OS Release 11.4 continues to support address book configuration under the
[security zones] hierarchy level—this is knownas zone-defined configuration. However,
we recommend that zone-attached address book configuration be used in themaster
logical system and user logical systems.
If you upgraded your SRX1400, SRX3400, SRX3600, SRX5600, or SRX5800 device
to this Junos OS Release 11.4, and are configuring logical systems on the device, the
master logical system retains any previously-configured zone-defined address book
configuration. Themaster administrator can run the address book upgrade script to
convert zone-definedconfiguration to zone-attachedconfiguration. Theupgrade script
converts all zone-defined configurations in the master logical system and user logical
systems.Seesection, “UpgradeandDowngradeScripts forAddressBookConfiguration”
of “Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX
Series Services Gateways” on page 223.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the logical
systems feature does not support ALGs for user logical systems because ALGs are
configured globally. If you enable ALGs at the root master logical system level, they
are also enabled for user logical systems in this JunosOSRelease 11.4. In this case, user
logical system traffic is processed by the ALGs, and corresponding ALG flow sessions
are initiated under the user logical system. You can only enable and disable ALGs at
the root master logical system level.
• OnSRX1400, SRX3400, SRX3600, SRX5600, andSRX5800devices, in this JunosOS
Release 11.4, the IPv6 forwarding and the logical system configuration are mutually
exclusive. If you enable the IPv6 forwarding options (packet mode or flowmode), the
logical system configuration related commit will fail and vice versa.
You can still configure certain IPv6 objects under the root logical system and the user
logical system if the system is in default mode (DROP). However, you cannot forward
IPv6 traffic in this case.
• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices,quality-of-service
(QoS) classification across interconnected logical systems does not work.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the number of
logical system security profiles you can create is constrained by an internal limit on
Copyright © 2011, Juniper Networks, Inc.208
Junos OS 11.4 Release Notes
security profile IDs. The security profile ID range is from 1 through 32with ID 0 reserved
for the internally configured default security profile. When themaximum number of
security profiles is reached, if you want to add a new security profile, youmust first
delete oneormore existing security profiles, commit the configuration, and then create
the new security profile and commit it. You cannot add a new security profile and
remove an existing one within a single configuration commit.
If you want to addmore than one new security profile, the same rule is true. Youmust
first delete theequivalentnumberof existing securityprofiles, commit theconfiguration,
and then create the new security profiles and commit them.
• User and administrator configuration for logical systems—Configuration for usersfor all logical systems and all user logical systems administrators must be done at the
root level by the master administrator. A user logical system administrator cannot
create other user logical system administrators or user accounts for their logical
systems.
• Name-space separation—The same name cannot be used in two logical systems. Forexample, if logical-system1 includes the username “Bob” then other logical systems
on the device cannot include the username “Bob”.
• Commit rollback—Commit rollback is supported at the root level only.
• Trace and debug—Trace and debug are supported at the root level only.
• Class of service—You cannot configure class of service on logical tunnel (lt-0/0/0)interfaces.
• ALGs—Themaster administrator canconfigureALGsat the root level. Theconfigurationis inheritedby all user logical systems. It cannot be configureddiscretely for user logical
systems.
Network Address Translation (NAT)
• Maximum capacities for source pools and IP addresses have been extended on
SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, as follows:
SRX5600SRX5800
SRX3400SRX3600SRX1400
Pool/PATMaximumAddress Capacity
1228881928192Source NAT pools
1228881928192IP addresses supportingport translation
256M256M256MPAT port number
Increasing the capacity of source NAT pools consumesmemory needed for port
allocation.WhensourceNATpooland IPaddress limitsare reached,port rangesshould
be reassigned. That is, the number of ports for each IP address should be decreased
when the number of IP addresses and sourceNATpools is increased. This ensuresNAT
does not consume toomuchmemory. Use the port-range statement in configuration
209Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
mode in the CLI to assign a new port range or the pool-default-port-range statement
to override the specified default.
Configuring port overloading should also be done carefully when source NAT pools
are increased.
For source pool with port address translation (PAT) in range (64,510 through 65,533),
two ports are allocated at one time for RTP/RTCP applications, such as SIP, H.323,
and RTSP. In these scenarios, each IP address supports PAT, occupying 2048 ports
(64,512 through65,535) forApplicationLayerGateway(ALG)moduleuse.OnSRX5600
and SRX5800 devices, if all of the 4096 source pool is configured, a port allocation
of 8,388,608 is reserved for twin port use.
• NAT rule capacity change—To support the use of large-scale NAT (LSN) at the edgeof the carrier network, the device-wide NAT rule capacity has been changed.
The number of destination and static NAT rules has been incremented as shown in
Table 16 on page 210. The limitation on the number of destination-rule-set and
static-rule-set has been increased.
Table 16onpage210provides the requirementsperdevice to increase theconfiguration
limitation as well as to scale the capacity for each device.
Table 16: Number of Rules on SRX3400, SRX3600, SRX5600, andSRX5800Devices
SRX5600SRX5800
SRX3400SRX3600NAT Rule Type
81928192Source NAT rule
81928192Destination NAT rule
2048020480Static NAT rule
The restriction on the number of rules per rule set has been increased so that there is
only a device-wide limitation on howmany rules a device can support. This restriction
is provided to help you better plan and configure the NAT rules for the device.
• IKE negotiations involving NAT-T—On SRX1400, SRX3400, SRX3600, SRX5600,and SRX5800 devices, IKE negotiations involving NAT-Traversal (NAT-T) traversal
donotwork if the IKEpeer isbehindaNATdevice thatwill change thesource IPaddress
of the IKE packets during the negotiation. For example, if the NAT device is configured
withDIP, it changes the source IPbecause the IKEprotocol switches theUDPport from
500 to 4500.
Copyright © 2011, Juniper Networks, Inc.210
Junos OS 11.4 Release Notes
Security
• OnSRX3400,SRX3600,SRX5600,andSRX5800devices, the limitationonthenumber
of addresses in an address-set has been increased. The number of addresses in an
address-set now depends on the device and is equal to the number of addresses
supported by the policy.
Table 17:NumberofAddresses inanaddress-setonSRX3400,SRX3600,SRX5600, and SRX5800Devices
address-setDevice
1024Default
1024SRX3400
1024SRX3600
1024SRX5600
1024SRX5800
Simple Network Management Protocol (SNMP)
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show snmp
mibCLI commandwill not display theoutput for security relatedMIBs.We recommend
that youuseanSNMPclientandprefix logical-system-name@ to thecommunityname.
For example, if the community is public, use default@public for default root logical
system.
Unsupported CLI
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, themvrp CLI
option under set protocols CLI command is not supported but it is visible. However, if
you enter these commands in the CLI editor, they will appear to succeed and will not
display an error message.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800, the command restart
ipsec-key-management is not supported.
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the following
multicast IPv6 and MVPN CLI commands are not supported. However, if you enter
these commands in the CLI editor, they will appear to succeed and will not display an
error message.
• showmulticast scope inet6
• showmsdp sa group group
• show pimmvpn
211Copyright © 2011, Juniper Networks, Inc.
Known Limitations in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Virtual Private Networks (VPNs)
• The local-IP feature is not supported on the following:
• SRX Series devices in chassis cluster configuration.
• SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.
• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, the IPsecNAT-T
tunnel scaling and sustaining issues are as follows:
• For a given private IP address, the NAT device should translate both 500 and 4500
private ports to the same public IP address.
• The total number of tunnels from a given public translated IP cannot exceed 1000
tunnels.
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
on page 217
• Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 212
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 195
Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
The followingproblemscurrently exist in JuniperNetworksSRXSeriesServicesGateways
and J Series Services Routers. The identifier following the descriptions is the tracking
number in the Juniper Networks Problem Report (PR) tracking system.
Aplication Layer Gateway(ALG)
• On SRX3400 and SRX3600 devices, when the CPU of the central point CP reaches
99 percent, there is rm group leak on the secondary node because of RTOmessage
drop. [PR/569624]
• On SRX3400 devices, in active/backup chassis cluster mode, after RG failover Avaya
phones cannot hang up. Somemessages sent by Avaya phones are dropped by the
device. If you want to make another call, you should unregister the phone and register
again. [PR/581917]
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, after 2 days of NAT/ALG
traffic and with some failovers, SIP RM groups leaks are observed when all calls and
sessions are dropped. [PR/584215]
Copyright © 2011, Juniper Networks, Inc.212
Junos OS 11.4 Release Notes
• On SRX3400 devices, when you receive an initial acknowledgment (INIT-ACK), the
device records the cookie length in association. If the cookie length is not amultiple of
four, the device pads it to a multiple of 4. For example, the length in the INIT-ACK is
183, but yousave 184 inassociation.When thecookie echocomes, thedevice compares
thecookie length in thepacketwith the recordedcookie length inassociation.However,
it is a not padded value; that is, it is still 183 in the cookie length field of the cookie echo.
Therefore, the comparison fails, and the log shows the cookie as invalid. [PR/671238]
• OnSRX3400andSRX5600devices, CPSofRTSPALG traffic in bothLayer 2andLayer
3 mode is dropped to 300 per SPU. [PR/676053]
• OnSRX5600 devices in chassis cluster, if the ALG traffic is too high and twin ports are
used up, some single ports on backup nodemight leak. [PR/705799]
Chassis Cluster
• On SRX1400 devices, a timing error is observed at the system I/O (sysio) interface,
which connects to IOC in slot 2. You can enable chassis cluster on the sysio ports, but
do not use the IOC card in slot 2 for Junos OS Release 11.4. [PR/680832]
• On SRX3400 devices, when chassis cluster failover route change is triggered and
service-offload session will be reinstalled, if one service-offload session is multicast
session in the master node, then that session will be synched and installed as normal
session in backup node because the services-offload flag not being correctly sync to
backup. [PR/696819]
• OnSRX1400devices in chassis cluster, unwanted timedout data path tracemessages
are seen. [PR/703272]
• On SRX5600 devices, the APN filter does not work when RG0 and RGX primary are in
different nodes. [PR/707047]
Flow and Processing
• On SRX3400 and SRX3600 devices, the diagnostic test (diagtest) for
recb_i2c_rep_clk_generator and recb_i2c_chassis_ideeprom fails. [PR/602621,
PR/704967]
• OnSRX3600 devices, preempt can occur to the designated primary nodewith priority
0 on RG1+ if the designated secondary node is currently working as the primary node.
[PR/612753]
• On SRX5800 devices with chassis cluster in NATmode, the unknownmessage log
ipc_msg_write:%PFE-3: IPCmessage type: 27, subtype: 2exceedsMTU,mtu3216, length
3504might appear occasionally due to internal communication. [PR/612757]
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, changes in policer, filter,
or sampling configuration cause core files to be generated whenmulticast traffic is
received. [PR/613782]
• On SRX5800 devices, memory usage on SPU by the KMD process might raise
unexpectedly, causing VPN tunnel setup problems.
213Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Once the process reaches the memory usage limit, the following message will be
logged:
• Jun 20 09:19:46 HOSTNAME (FPC Slot N, PIC Slot M) kernel: Process (176,kmd)
attempted to exceed RLIMIT_DATA: attempted 262164 KBMax 262144 KB
[PR/664301]
• OnSRX5600devices,whenGPRStunnelingprotocol (GTP) isenabledandwhenthere
are GTP-wide conflicts hashed in the same buckets, a core file is generated.
[PR/680822]
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, a successful
webauth entry will not be updated or re-written if you re-login using another correct
usernameandpassword.Although there is a successful authenticationentry, thismight
still cause the user traffic not pass through the firewall if the new username is added
as a client match user in the policy. [PR/683603]
• OnSRX3600devices, due toa remote racecondition, themasterRoutingEnginemight
not send the deletion of the destination route pointing to the decoupled next hop to
the replicated Routing Engine, which can result in rnh_index_alloc() error on the
replicated Routing Engine. [PR/684981]
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, the show
class-of-service application-traffic-control statistics rule command currently displays
the number of packets that arrive in a session. The command should actually display
the number of sessions. [PR/690691]
• On SRX5800 devices, due to some issue in the fxp driver, after deleting the fxp
configuration and rolling it back, the fxp0 is forcefully set to 100m/full duplex mode.
[PR/696733]
• On SRX1400 devices, traffic sent to yourself through a GRE tunnel is blocked
unexpectedly by policy. It is likely that the security flow process chooses the wrong
ingress interface insteadof thephysical interfacebeneath theGRE tunnel,which should
be gr-0/0/0.xl The workaround is to configure a to-self policy from the zone that
contains physical interface of the GRE tunnel. [PR/698647]
• On SRX5600 devices, when IKE and IPsec configuration or security configuration is
removed and added back frequently, KMD core files might be generated. [PR/698718,
PR/698666]
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, a memory leak
occurs during the audit event processing. As a workaround, enable the security log
cache using the edit security log cache configuration statement. [PR/698907]
• On SRX5600 devices, the message vector create_pdp_rsp changes tunnel state from
half to active and inserts it into active timer wheel. These actions result in no tunnel
lock protection. When del_pdp_rsp deletes the user tunnel or clear path, this leads to
a change in both the aging flag and the timer wheel entry pointer. [PR/699147]
• On SRX5600 devices, after youmodify the GTP profile's configuration within the
firewall, the modifications will only take effect with new create sessions; old sessions
will not be impacted with new GTP profile settings. If you want to activate new GTP
Copyright © 2011, Juniper Networks, Inc.214
Junos OS 11.4 Release Notes
profile settings for all sessions, then you should clear all sessions in the firewall.
[PR/703327]
• On SRX1400 devices, RTSP interleave data packets cannot be passed when the RTP
length is above 3K Bytes. [PR/703663]
• On SRX5600 devices, packets of packet-length 500 bytes get corrupted when only
packet capture of data path debug is present without record-pic-history and event
np-egress. [PR/706858]
Interfaces and Routing
• OnSRX3400devices, during failover, there is a small windowof time inwhich the SPU
does not detect whether an NP is in services-offloadmode or not. This might cause a
small number of the services-offload sessions to change to normal sessions.
[PR/697426]
• On SRX5600 devices, during GTP-in-GTP detection, the spare bytes in the GTPv0's
packet header are 10, 11, and 12. These three bytes need to be set with 0xff, but it is not
a mandatory requirement in 3GPP TS. You can set the GTP-in-GTP denied feature,
and check these bytes as amandatory field. If the value of all three bytes is not equal
to 0xff, then the packet is not GTPv0 and is allowed to pass the firewall. As a result,
somemalform attack packets might get through the firewall. [PR/703267]
• On SRX1400 devices, RTSP interleave data packets cannot be passed when the RTP
length is above 3K Bytes. [PR/703663]
• On SRX3600 devices, after configuring the logical interfaces with IPv6 addresses, the
corresponding routes are not resolved and are stuck at reject state. Because of this
the connection between the logical interfaces is unreachable. [PR/705847]
Intrusion Detection and Prevention (IDP)
• On SRX5600 devices, loading the IDP detector might cause a flowd crash, showing
memcpy as the top of the stack. [PR/570361]
J-Web
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, on the following pages in
the J-Web interface, if you try to generate a report by using theGenerateReportoption,the report opens in the same webpage:
• Monitor > Events and Alarms> View Events
[PR/433883]
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, using CLI you
can configure only an AppQoS rule set without configuring any other diff-services.
However, in J-Web, you should configure at least one diff-service for a new AppQoS
rule set configuration. [PR/686462]
215Copyright © 2011, Juniper Networks, Inc.
Outstanding Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
• On SRX1400 devices, whenmodifying an existed policy or creating a new policy with
junos-host zone in J-Web, there is no junos-host zone available in the from-zone or
to-zone list. [PR/697863]
• OnSRX3400devices, in J-Web, you cannot edit the lt interface for LSYS. [PR/700354]
Logical Systems
• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800devices,multiple logical
systems which have All attack policy fails to compile in the Routing Engine due to
memory limit.
The IDP policies for each user logical system are compiled together and stored on the
data planememory. To estimate adequate data planememory for a configuration,
consider these two factors:
• IDP policies applied to each user logical system are considered unique instances
because the ID and zones for each user logical system are different. Estimates need
to take intoaccount the combinedmemory requirements for all user logical systems.
• As the application database increases, compiled policies will require morememory.
Memory usage should be kept below the available data planememory to allow for
database increases.
[PR/667983]
• On SRX3400 devices, when you configure LSYS and then load override configuration
with different LSYS (both having the old and new LSYS) configuration, the proxy-ndp
route might fail to push to the Packet Forwarding Engine. If you delete old LSYS and
addnewLSYS in one commit, the proxy-ndp routemight also fail to push to thePacket
Forwarding Engine. [PR/673930]
• On SRX5600 devices in a chassis cluster, some NAT sessions might keep invalidated
status after multiple failovers. [PR/676385]
• On SRX1400 devices, the logical systems (lsys) capacity number for
nat-rule-referenced-prefix lsys profile is displayed incorrectly. [PR/707108]
Management Information Base (MIB)
• On SRX3400, SRX3600, SRX5600, and SRX5800 devices, when polling the device
with 5 SPC's and 3 SPC's, the device reports wrong number of sessions for the object
ID jnxJsSPUMonitoringMaxTotalSession (1.3.6.1.4.1.2636.3.39.1.12.1.3.0). [PR/488653]
Network Address Translation (NAT)
• On SRX3600 devices, when there is heavy SIP traffic and share gate is involved, NAT
translation-context might leak. [PR/675869]
• On SRX3400 devices, NAT does not support ISSU prior to Junos OS Release 11.1.
Therefore when you attempt to upgrade the device from Junos OS Release 10.4 or 11.1
to Junos OS Release 11.4, the NAT configuration on the Packet Forwarding Engine side
will be incorrect and NAT allocation will fail, preventing creation of the RTSP control
session on backup. [PR/686447]
Copyright © 2011, Juniper Networks, Inc.216
Junos OS 11.4 Release Notes
• OnSRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, static NATwith
default routing instance does not work. As a workaround with static NAT configured,
use a named routing instance instead of the default one. [PR/706183]
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, when you
configure two static NAT rules in default routing-instance with same prefix, one rule
is configured without static-nat prefix routing-instance default, and the other rule
which will have the commit will have no overlapped prompt info and will complete.
Do not use same static NAT prefix addresses in two rules in default routing-instance
with one rule as static-nat prefix routing-instance default configuration and the other
rule as none. [PR/708433]
Upgrade and Downgrade
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, application
identification does not support downgrade of the image. When you attempt to
downgrade the device from Junos OS Release 12.1 to 11.4, youmust download and
install the signature database again.
If you upgrade the device from Junos OS Release 11.4 to 12.1, application identification
signaturewill takeabout30seconds to recompile.During these30seconds, application
identification does not identify the traffic, and traffic is dropped by application firewall
as an unknown session. [PR/689304]
Virtual Private Network (VPN)
• On SRX3600 devices, after RG0 failover, packet loss is seen through VPNs.
[PR/604640]
• On SRX5600 devices in a large configuration with heavy traffic, after reboot failover
in chassis cluster, the Routing Engine on the new primary node becomes very busy. As
a result, the FPCmight detach, causing traffic to fail when passing through the firewall
device. [PR/698150]
• On SRX5600 devices, the Key Management daemon (KMD)may restart when you
change theconfiguration fromdynamicendpoint (DEP) to shared IKE.Theworkaround
for this issue is to deactivate security policies before switching the configuration from
DEP to shared IKE. [PR/702222]
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 198
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
The following are the issues that have been resolved in Junos OS Release 11.4 for Juniper
Networks SRX Series Services Gateways and J Series Services Routers. The identifier
217Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
following thedescriptions is the trackingnumber in the JuniperNetworksProblemReport
(PR) tracking system.
Application Layer Gateways (ALGs)
• On SRX5600 devices in a chassis cluster, when 12-KB traffic was sent, RG1 and RG2
failover occurred with a resource manage error. [PR/601784: This issue has been
resolved.]
Chassis Cluster
• On SRX5600 devices, ISSU took additional time when network traffic was heavy. If
the ISSU process duration was longer than 1 hour, it aborted automatically without
completing the upgrade. [PR/585873: This issue has been resolved.]
• On SRX3600 devices in a chassis cluster, some interfaces on node 0 showed
unspecified speed and half-duplex. [PR/597575: This issue has been resolved.]
• On SRX5800 devices, chassis cluster was not failing over redundancy groups
automatically when one node experienced certain hardware errors (HSL2 link CRC
errors). [PR/606594: This issue has been resolved.]
Flow and Processing
• On SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices, predefined
applications and application groups are editable. However, changes made to them
werenotpersistentacrossapplication identificationsignatureor IDPsignaturedatabase
upgrades, and commit failed. [PR/560897: This issue has been resolved.]
• On SRX5800 devices in NATmode, flowd crashed due to kernel memory corruption
that was triggered by a race condition when the IDPmodule wasmaintaining the ASC
(application system cache) pool. [PR/579242: This issue has been resolved.]
• On SRX3400, SRX3600, and SRX5600 devices, hostbound traffic BFD session state
did not change from the init state. [PR/601310: This issue has been resolved.]
• OnSRX1400,SRX3400,andSRX3600devices,when the receiver for amulticast group
was in densemode, nomulticast traffic was observed. [PR/601850: This issue has
been resolved.]
• On SRX5800 devices, data plane security logs sent in security log mode streamwere
emittedwith the facility encoded toUUCP.ThePRI valuehasbeenchanged tocorrectly
showtheUSER facility in the system logs sentdirectly fromthedataplane.This change
does not effect logs sent from the Routing Engine. [PR/663022: This issue has been
resolved.]
• On SRX3400 devices, the SIP datagramswere being reordered, resulting in a rejection
of the INVITEmessage from the X-Lite client to the other user. [PR/667420: This issue
has been resolved.]
Copyright © 2011, Juniper Networks, Inc.218
Junos OS 11.4 Release Notes
• On SRX3400 devices, small packets were dropped when preserve-trace-order or
record-packet-historywas enabled during data path debugging. [PR/671900: This
issue has been resolved.]
• On SRX3400 devices, in transparent mode EBGP session timeout was not updated,
causing sessions to close after 20 seconds. [PR/671942: This issue has been resolved.]
Installation and Upgrade
• On SRX1400 devices, when you upgraded or downgraded to an earlier or later Junos
OS version and upgraded or downgraded the data path FPGA images, the traffic did
not flowthrough thedevice immediatelyafter theupgradeordowngradewascomplete.
The fabric (HSL2) links of the SPC and NPC cards were prematurely reported as being
in fault, reset, or error state followinganautomatic upgradeordowngradeof theFPGAs.
[PR/608148: This issue has been resolved.]
Intrusion Detection and Prevention (IDP)
• On SRX5800 devices, removing the ip-block action statement from the IDP
configurationblocked theapplicable traffic. [PR/599245:This issuehasbeen resolved.]
Infrastructure
• On SRX5800 devices, whenmore than 10member links were added to an aggregate
bundle and then to a class-of-service process, sometimes core files were generated
and devices restarted due to memory corruption and the process. [PR/613422: This
issue has been resolved.]
Interfaces and Routing
• On SRX5600 devices, there were issues with support for GTPv2 and GTP ISSU failure
between Junos OS Release 11.2 and later releases. [PR/664202: This issue has been
resolved.]
IPv6
• On SRX3600 devices, the IPv6 self-traffic caused flowd_xlr files to be generated.
[PR/667592: This issue has been resolved.]
• OnSRX3400devices, in somecases IPv6 flowsessionswereoverwritingothermemory,
causing incorrect statistics or memory corruption. Thememory corruption triggered
generation of a flowd core file. [PR/672794: This issue has been resolved.]
J-Web
• OnSRX1400,SRX3400,SRX3600,SRX5600,andSRX5800devices, youwereunable
to make custom column alignment on theUTMpolicy and Zone configuration pages.[PR/667207: This issue has been resolved.]
• OnSRX3400devices, sometimesJ-Webdidnotpopulatecontentproperly. [PR/671805:
This issue has been resolved.]
219Copyright © 2011, Juniper Networks, Inc.
Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
Logical Systems
• On SRX3400 devices, when NAT64 was used in logical system (LSYS), the binding
did not age out and the reversed binding did not match successfully. The NAT64 in
LSYS function did not work. [PR/675052: This issue has been resolved.]
Network Address Translation (NAT)
• OnSRX3400devices,whenDUTwasconfiguredwith themaximumreferencenumber
of address-books in source NAT or destination NAT, the Routing Engine and Packet
Forwarding Engine were different. [PR/580201: This issue has been resolved.]
• SRX1400 devices supported only 256 destination NAT pools; this number did not
match the specification sheet of 4096. [PR/598474: This issue has been resolved.]
• On SRX3600 devices, under certain specific circumstances, interface-based source
NAT resources leaked. [PR/613300: This issue has been resolved.]
SNMPMIBs
• OnSRX5800devices, theNATSNMPMIB snmpmib jnxJsNatSrcNumSessions counter
was not refreshed until thewalk command was issued. [PR/663788: This issue has
been resolved.]
Virtual Private Network (VPN)
• OnSRX3600devices, KMDcore fileswere generated after users deleted and re-added
VPN configurations. [PR/560932: This issue has been resolved.]
• On SRX3600 devices, the secondary node of the dynamic endpoint tunnel IP did not
update correctly during cold synchronization. [PR/604640: This issue has been
resolved.]
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 198
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX SeriesServices Gateways
Errata for the Junos OS Software Documentation
This section lists outstanding issues with the software documentation.
Junos OS CLI Reference
• The Junos OS CLI Reference incorrectly specifies the IPsec proposal options in
proposal-set (IPsec) section. The IPsec proposals should be as follows:
Copyright © 2011, Juniper Networks, Inc.220
Junos OS 11.4 Release Notes
• basic—nopfs-esp-des-sha and nopfs-esp-des-md5
• compatible—nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, and
nopfs-esp-des-md5
• standard—g2-esp-3des-sha and g2-esp-aes128-sha
J-Web
• J-Web security package update Help page—The J-Web Security Package UpdateHelp page does not contain information about the download status.
• J-Web pages for stateless firewall filters—There is no documentation describing theJ-Web pages for stateless firewall filters. To find these pages in J-Web, go to
Configure>Security>Firewall Filters, and then select IPv4 Firewall Filters or IPv6Firewall Filters. After configuring the filters, select Assign to Interfaces to assign yourconfigured filters to interfaces.
• J-WebConfiguration Instructions—Becauseofongoing J-Web interfaceenhancements,
some of the J-Web configuration example instructions in the Junos administration and
configuration guides became obsolete and thus were removed. For examples that are
missing J-Web instructions, use the provided CLI instructions.
Junos OS Security Configuration Guide
• The Junos OS Security Configuration Guide incorrectly states that the release supports
security chains, which validate a certificate path upward through eight levels of CA
authorities in the PKI hierarchy. The release does not support security chains.
Errata for the Junos OSHardware Documentation
This section lists outstanding issues with the hardware documentation.
SRX1400 Services Gateway Hardware Guide
• The fan tray LED table in the “Replacing the Fan Tray on the SRX1400 Services
Gateway” section of the SRX1400 Services Gateway Hardware Guide erroneously
documents that:
Amber (On Steadily): Fan tray LED cannot detect fan failure.
The correct information for this section is as follows: Amber LED (on steadily): Fan
tray LED does not indicate fan failure.
• Some of the graphics in the SRX1400 Services Gateway Hardware Guide show the
grounding lugattached to the frontpanel of thedevice.However, theSRX1400Services
Gateway is not shipped with the grounding lug attached to it.
• In the SRX1400 Services Gateway Hardware Guide, the following topics erroneously
document “RE ETHERNET” port as “ETHERNET” port.
• Connecting the SRX1400 Services Gateway to a Network for Out-of-Band
Management
221Copyright © 2011, Juniper Networks, Inc.
Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX Series Services Gateways
• SRX1400 Services Gateway Software Configuration Overview
• TheSRX1400ServicesHardwareGuideand theSRX1400ServicesGettingStartedGuide
are missing the following note:
NOTE: AC and DC Power Supply Units are not interoperable between theSRX1400 Services Gateway and the SRX3000 and SRX5000 lines.
SRX1400 Services Gateway Getting Started Guide
• In theSRX1400ServicesGatewayGettingStartedGuide, someof thegraphicsare shown
with thegrounding lugattachedon the frontpanel of thedevice.However, theSRX1400
Services Gateway is not shipped with the grounding lug attached to it.
• Some of the graphics in the SRX1400 Services Gateway Getting Started Guide show
graphics with the grounding lug attached to the device front panel. The grounding lug
is not attached to the device at the time of shipment.
• The SRX1400 Services Gateway Getting Started Guide should document the following
statement:
You can replace theNetwork andServicesProcessingCard (NSPC)with theSRX3000
line Services Gateway Network Processing Card (NPC) and Services Processing Card
(SPC). To install the NPC and SPC on the SRX1400 Services Gateway, youmust order
the TwinCFMholder tray (SRX1K3K-2CFM-TRAY) to hold two single-wideCFMs (NPC
and SPC) separately. Contact your Juniper Networks customer service representative
for more information.
• In the SRX1400 Services Gateway Getting Started Guide, the following sections
erroneously document the “RE ETHERNET” port as the “ETHERNET” port.
• Step 5: Connect the External Devices and IOC Cables to the SRX1400 Services
Gateway
• Step7: Perform the Initial SoftwareConfigurationon theSRX1400ServicesGateway
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• KnownLimitations in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 198
• Outstanding Issues in JunosOSRelease 11.4 forHigh-EndSRXSeriesServicesGateways
on page 212
• Resolved Issues in Junos OS Release 11.4 for High-End SRX Series Services Gateways
on page 217
Copyright © 2011, Juniper Networks, Inc.222
Junos OS 11.4 Release Notes
UpgradeandDowngrade Instructions for JunosOSRelease11.4 forHigh-EndSRXSeriesServicesGateways
In order to upgrade to Junos OS Release 11.4 or later, your device must be running one of
the following Junos OS Releases:
• 9.1S1
• 9.2R4
• 9.3R3
• 9.4R3
• 9.5R1 or later
If your device is running an earlier release, upgrade to one of these releases and then to
the 11.4 release. For example, to upgrade from Release 9.2R1, first upgrade to Release
9.2R4 and then to Release 11.4.
For additional upgrade and download information, see the Junos OS Initial Configuration
Guide for Security Devices and the Junos OSMigration Guide.
• Upgrade and Downgrade Scripts for Address Book Configuration on page 223
• Upgrade Policy for Junos OS Extended End-Of-Life Releases on page 226
• Hardware Requirements for Junos OS Release 11.4 for High-End SRX Series Services
Gateways on page 226
Upgrade and Downgrade Scripts for Address Book Configuration
Beginningwith JunosOSRelease 11.4, youcanconfigureaddressbooksunder the [security]
hierarchy and attach security zones to them (zone-attached configuration). In Junos OS
Release 11.1 and earlier, address books were defined under the [security zones] hierarchy
(zone-defined configuration).
You can either define all address books under the [security] hierarchy in a zone-attached
configuration formatorunder the [securityzones]hierarchy inazone-definedconfiguration
format; the CLI displays an error and fails to commit the configuration if you configure
both configuration formats on one system.
Juniper Networks provides Junos operation scripts that allow you to work in either of the
address book configuration formats (see Figure 2 on page 225).
• About Upgrade and Downgrade Scripts on page 223
• Running Upgrade and Downgrade Scripts on page 225
About Upgrade and Downgrade Scripts
After downloading the Junos OS Release 11.4, you have the following options for
configuring the address book feature:
• Use the default address book configuration—You can configure address books using
the zone-defined configuration format, which is available by default. For information
223Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX Series Services Gateways
on how to configure zone-defined address books, see the Junos OS Release 11.1
documentation.
• Usetheupgradescript—Youcan run theupgradescriptavailableon the JuniperNetworks
support site to configure address books using the new zone-attached configuration
format. When upgrading, the system uses the zone names to create address books.
For example, addresses in the trust zone are created in an address book named
trust-address-book and are attached to the trust zone. IP prefixes used in NAT rules
remain unaffected.
After upgrading to the zone-attached address book configuration:
• You cannot configure address books using the zone-defined address book
configuration format; the CLI displays an error and fails to commit.
• You cannot configure address books using the J-Web interface.
For information on how to configure zone-attached address books, see the Junos OS
Release 11.4 documentation.
• Use the downgrade script—After upgrading to the zone-attached configuration, if you
want to revert to the zone-defined configuration, use the downgrade script available
on the JuniperNetworks support site. For informationonhowtoconfigure zone-defined
address books, see the Junos OS Release 11.1 documentation.
NOTE: Before running the downgrade script, make sure to revert anyconfiguration that uses addresses from the global address book.
Copyright © 2011, Juniper Networks, Inc.224
Junos OS 11.4 Release Notes
Figure 2: Upgrade and Downgrade Scripts for Address Books
zone-attachedaddress bookconfiguration
Download Junos OSRelease 11.2 or later.
Run the upgrade script.
- Global address book isavailable by default.
- Address book is defined underthe security hierarchy.
- Zones need to be attachedto address books.
Note: Make sure to revert anyconfiguration that uses addressesfrom the global address book.
Run the downgrade script.
zone-definedaddress book
g030
699
Running Upgrade and Downgrade Scripts
The following restrictions apply to the address book upgrade and downgrade scripts:
• The scripts cannot run unless the configuration on your system has been committed.
Thus, if the zone-definedaddressbookandzone-attachedaddressbookconfigurations
are present on your system at the same time, the scripts will not run.
• The scripts cannot run when the global address book exists on your system.
• If you upgrade your device to Junos OS Release 11.4 and configure logical systems, the
master logical system retains any previously configured zone-defined address book
configuration. Themaster administrator can run the address book upgrade script to
convert the existing zone-defined configuration to the zone-attached configuration.
Theupgradescript convertsall zone-definedconfigurations in themaster logical system
and user logical systems.
NOTE: You cannot run the downgrade script on logical systems.
For informationabout implementingandexecuting Junosoperation scripts, see the Junos
OS Configuration and Operations Automation Guide.
225Copyright © 2011, Juniper Networks, Inc.
Upgrade and Downgrade Instructions for Junos OS Release 11.4 for High-End SRX Series Services Gateways
Upgrade Policy for Junos OS Extended End-Of-Life Releases
An expanded upgrade and downgrade path is now available for the Junos OS Extended
End-of-Life (EEOL) releases. You can upgrade directly from one EEOL release to one of
twoadjacent later EEOL releases. Youcanalsodowngradedirectly fromoneEEOL release
to one of two adjacent earlier EEOL releases.
For example, JunosOSReleases9.3, 10.0, and 10.4areall EEOL releases. Youcanupgrade
from Junos OS Release 8.5 directly to either 9.3 or 10.0. To upgrade from Release 8.5 to
10.4, you first need toupgrade to JunosOSRelease9.3or 10.0, and thenupgradeasecond
time to 10.4. Similarly, you can downgrade directly from Junos OS Release 10.4 to either
10.0 or 9.3. To downgrade from Release 10.4 to 8.5, you first need to downgrade to 10.0
or 9.3, and then perform a second downgrade to Release 8.5.
For upgrades and downgrades to or from a non-EEOL release, the current policy is that
you can upgrade and downgrade by nomore than three releases at a time. This policy
remains unchanged.
For more information on EEOL releases and to review a list of EEOL releases, see
http://www.juniper.net/support/eol/junos.html .
Hardware Requirements for Junos OS Release 11.4 for High-End SRX SeriesServices Gateways
Transceiver Compatibility for SRX Series Devices
We strongly recommend that only transceivers provided by Juniper Networks be used
onhigh-endSRXSeriesServicesGateways interfacemodules.Different transceiver types
(long-range, short-range, copper, and others) can be used together onmultiport SFP
interfacemodulesas longas theyareprovidedby JuniperNetworks.Wecannot guarantee
that the interface module will operate correctly if third-party transceivers are used.
Please contact Juniper Networks for the correct transceiver part number for your device.
RelatedDocumentation
New Features in Junos OS Release 11.4 for High-End SRX Series Services Gateways on
page 182
•
• Errata and Changes in Documentation for Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 220
• Changes in Default Behavior and Syntax in Junos OS Release 11.4 for High-End SRX
Series Services Gateways on page 195
Copyright © 2011, Juniper Networks, Inc.226
Junos OS 11.4 Release Notes
Junos OS Documentation and Release Notes
For a list of related Junos OS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks®technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
JuniperNetworkssupportsa technicalbookprogramtopublishbooksby JuniperNetworks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,
published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include
the following information with your comments:
• Document name
• Document part number
• Page number
• Software release version
Requesting Technical Support
Technical product support is available through the JuniperNetworksTechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/customers/support/downloads/710059.pdf.
227Copyright © 2011, Juniper Networks, Inc.
Junos OS Documentation and Release Notes
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides youwith the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
Toverify serviceentitlementbyproduct serial number, useourSerialNumberEntitlement
(SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.
Opening a Casewith JTAC
You can open a case with JTAC on theWeb or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html.
If you are reporting a hardware or software problem, issue the following command from
the CLI before contacting support:
user@host> request support information | save filename
To provide a core file to Juniper Networks for analysis, compress the file with the gzip
utility, rename the file to include your company name, and copy it to
ftp.juniper.net:pub/incoming. Then send the filename, along with software version
information (the output of the show version command) and the configuration, to
[email protected]. For documentation issues, fill out the bug report form located at
https://www.juniper.net/cgi-bin/docbugreport/.
Copyright © 2011, Juniper Networks, Inc.228
Junos OS 11.4 Release Notes
Revision History
8 December 2011—Revision 5, Junos OS 11.4.R1 Phase 1
6 December 2011—Revision 4, Junos OS 11.4.R1 Phase 1
1 December 2011—Revision 3, Junos OS 11.4.R1 Phase 1
21 November 2011—Revision 2, Junos OS 11.4.R1 Phase 1
17 November 2011—Revision 1, Junos OS 11.4.R1 Phase 1
Copyright © 2011, Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All othertrademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.
Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
229Copyright © 2011, Juniper Networks, Inc.
Requesting Technical Support